Is mapfish-print affected by CVE-2026-27830 (c3p0 RCE)? Patch plans for 3.33.x?

[sofferm]

Hi,

I would like to ask whether mapfish-print is affected by CVE-2026-27830 related to c3p0.

According to the following write-up, certain c3p0 configurations may allow remote code execution:
https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal/

From my understanding, the exploit involves unsafe deserialization in c3p0. Since mapfish-print processes user-controlled print requests, I would like to clarify:

1. Is mapfish-print exploitable via CVE-2026-27830 in any supported configuration?
2. Are there specific configuration constraints that prevent exploitation?
3. If affected, are patch releases planned for older releases, particularly 3.33.7?

I noticed that the c3p0 dependency has already been updated on master via:
#4027

It would be helpful to understand:

• Whether upgrading to a newer minor/major release is required
• Or whether a backport to 3.33.x is planned

Thank you for your work and clarification.

Best regards
Stefan

[sbrunner]

The version 3.33 is patched: #4033
To have security enhanced version it's better to use x.y version raster than x.y.z.