MalaGIS

Sharing GIS Technologies, Resources and News.

GeoServer is one of the most established and widely used map servers in the open-source GIS domain, serving OGC standard services such as WMS, WFS, and WCS. In China, many government "one-map" platforms, land survey systems, emergency command projects, and classic WebGIS stacks like PostGIS + OpenLayers often rely on it. On June 11, 2026, the GeoServer team officially released version 3.0.0 – the first major version upgrade in years since the 2.x era.

This release is not just a patch-up; it brings a brand-new administration interface, modular architecture adjustments, and a range of new capabilities aimed at cloud-native data formats. If you are planning an upgrade or technology selection, we recommend a careful evaluation.

PS: Major version upgrades usually involve extension migration and configuration changes. In production environments, be sure to run a full regression test on a staging node, paying special attention to custom extensions, security authentication, and tile caching configurations.

Feature Updates

Key feature updates include:

1. Completely Revamped Administration Interface: GeoServer 3 has systematically refreshed the UI and UX of the web administration console. Layer previews are now upgraded to OpenLayers 10.8.0 with full-screen mode, keywords are displayed in table format, and the file browser supports keyboard navigation, among other improvements.
2. OIDC Authentication Promoted to Official Extension: Integration with OAuth2 for enterprise unified identity authentication and single sign-on scenarios is now more mature.
3. New DuckDB Data Source Extension: Allows fast mounting of DuckDB data for local analysis, lightweight data warehousing, or Parquet-oriented workflows.
4. Added PNG-WIND Output Format for Wind Data: Designed for visualization scenarios in meteorology, oceanography, or renewable wind energy.
5. Enhanced OGC API Processes: Supports envelope-type input/output, multi-part raw responses, paginated queries, Echo processes, and improved binary input/output, aligning more with modern API practices.
6. Extended REST Interface: Supports uploading a single Parquet file via REST, injecting vector datasets into VectorMosaic, and adds REST management support for coordinate reference systems. The GeoParquet scenario also includes configuration UI and documentation for AWS credential chain authentication.
7. Architecture and Module Slimming: WMS service is decoupled from WFS; H2 extension and related references in GWC are removed; modules such as KML, WCS 1.0, and WCS 1.1 are now adjusted to extensions or plugins, and formats like arcgrid and worldimage are also loaded as plugins, allowing on-demand reduction of deployment package size.

Bug Fixes

Additionally, version 3.0 fixes many bugs from previous 2.x releases, with security vulnerabilities being the most critical.

1. Fixed XXE Vulnerability in features-templating Extension: Corresponds to CVE-2025-23043, an XML external entity injection security issue. If the features-templating extension is enabled in production, we recommend treating this as a high-priority fix.
2. Fixed WFS Large XML POST Request Failures: When XML POST request bodies exceeded 8kB, WFS requests would abnormally terminate; this is fixed in 3.0.0.
3. Fixed Jetty 12 and CORS Configuration Incompatibility: After upgrading to Jetty 12, CORS configurations in web.xml no longer take effect; cross-origin settings must be adjusted according to the new version's approach.
4. Fixed OGC API and Security REST Conflict: The ogcapi plugin caused WFS output formats to be unavailable and broke the security REST API; this release resolves both issues.
5. Fixed KMZ Export Icon Reference Issue: KMZ exports no longer incorrectly reference remote icon URLs; icons are now properly embedded in the compressed package.
6. Fixed WMS Layer REST PUT Returning 500: The update failure caused by getRemoteStyleInfos returning an empty collection has been resolved.
7. Additional Operational Fixes: Also addressed are issues such as style loss after workspace recovery, STAC search parameter errors, SecureRandom startup failures in FIPS environments, as well as cluster homepage pop-ups, legend previews, and vertical profile elevation calculations.

Summary

GeoServer 2.0 was officially released in October 2009, and the 2.x series has since evolved all the way to 2.28.x, supporting open-source WebGIS for nearly seventeen years – truly a workhorse version in the open-source GIS world. During this period, numerous domestic projects like government "one-map", the Third National Land Survey, and emergency "one-map" systems were built and maintained on the 2.x branch. This 3.0 release is a transformative upgrade: a more modern interface, clearer module boundaries, and better support for emerging GIS data and service formats such as Parquet, DuckDB, and OGC API Processes.

For nodes that have been running on the 2.27 or 2.28 branches for a long time and rely on the H2 extension or legacy Jetty CORS configurations, it is necessary to review the extension list and deployment scripts item by item before upgrading. If your business primarily uses classic WMS tile services and does not yet need the new features, you may continue to run stably on the 2.28 maintenance branch and plan the migration later.