Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.
Published: 2026-06-18
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GeoServer’s DB2 DataStore Extension allows an administrator to craft a DB2 JDBC URL that triggers JNDI processing, leading to remote code execution. This flaw represents a deserialization weakness and an injection flaw, for which the CWE identifiers are 502 and 74. The impact is that an attacker who can influence the URL used by the server could execute arbitrary code on the host system, compromising confidentiality, integrity, and availability of the affected GeoServer service.

Affected Systems

The affected product is the GeoServer DB2 DataStore Extension, labeled as org.geoserver.extension:gs-db2. All releases prior to version 2.27.0 are vulnerable; GeoServer version 2.27.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 7.2 marks this as a high‑severity vulnerability, though the EPSS score is not available, indicating the exploitation likelihood is not quantified. Because the exploit requires a specially crafted JDBC URL and administrative access, the practical attack vector is limited to users who have permission to configure or alter the DataStore settings. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploits have been confirmed as of the last advisory.

Generated by OpenCVE AI on June 18, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GeoServer to version 2.27.0 or later, which contains the JNDI fix
  • Re‑validate or sanitize all DB2 JDBC URLs to ensure they do not contain untrusted JNDI references
  • If immediate upgrade is not possible, disable JNDI lookups in the DB2 JDBC driver configuration to block the vulnerable functionality

Generated by OpenCVE AI on June 18, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g628-r368-6vh7 GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Geoserver
Geoserver geoserver
Vendors & Products Geoserver
Geoserver geoserver

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.
Title GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
Weaknesses CWE-502
CWE-74
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Subscriptions

Geoserver Geoserver
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T03:56:02.624Z

Reserved: 2025-02-26T18:11:52.306Z

Link: CVE-2025-27511

cve-icon Vulnrichment

Updated: 2026-06-18T15:57:06.841Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:56:02Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data

  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')