GeoServer is an open-source map server under OSGeo, playing a core role in WebGIS systems for spatial data publishing and OGC standard services. Whether it is classic services like WMS, WFS, WCS, or integration with data sources such as PostGIS, Shapefile, and GeoTIFF, GeoServer remains a common choice in many domestic government, land, emergency, and other industry projects.

On May 27, 2026, the GeoServer team officially released the 2.28.4 maintenance version. Based on the official Release Notes, this update focuses on security fixes and operational improvements. If you are using the features-templating extension, LDAP authentication, or disk quota management, this version deserves priority attention. It is recommended that production environments still running on the 2.28 branch evaluate and upgrade as soon as possible.

Feature Updates

  1. Ability to disable specific OGC service versions on demand: Administrators can now disable outdated versions of OGC protocols, providing more flexibility when meeting compliance requirements (e.g., classified protection) or reducing the attack surface for legacy clients.
  2. Enhanced disk quota configuration panel: In JDBC storage scenarios, JDBCConfiguration.schema can be configured directly through the web administration interface, eliminating the need to manually edit configuration files. This is suitable for deployments where tile caches are stored in databases.
  3. LDAP TLS connection pool hostname support: When enterprise directory services use TLS with connection pooling, hostname validation and pooling behavior are more robust, contributing to stable login in unified authentication environments.
  4. JWT Header component naming adjustment

Bug Fixes

  1. Fixed XXE vulnerability in the features-templating extension: Corresponds to CVE-2025-23043, an XML external entity injection security issue. If the features-templating extension is enabled in production, it is recommended to treat this as high priority and apply the patch as soon as possible.
  2. Fixed JSON output issue for DescribeFeatureType: When a feature type contains only a single option restriction, the JSON format description would not render correctly.
  3. Fixed styles not persisted after workspace restoration: After restoring a workspace from a backup, style resources were sometimes not written back to disk.
  4. Fixed pagination count error in workspace management: The total count in the workspace administrator list was inaccurate when security filtering was enabled.

Summary

GeoServer 2.28.4 introduces no major new features, focusing primarily on security and routine operations. The XXE vulnerability patch, OGC version control, disk quota improvements, and LDAP refinements are all practical updates. For nodes still running early minor versions of 2.28 and providing WFS or templating services, it is recommended to perform regression testing based on your extension list and then schedule the upgrade.

If you have better open-source map servers or GeoServer deployment experiences, feel free to leave a comment and share your thoughts.