Skip to content

Question: Is mapfish-print affected by CVE-2026-27830 (c3p0 RCE)? Patch plans for 3.33.x? #4049

New issue
New issue
Closed
Closed
Question: Is mapfish-print affected by CVE-2026-27830 (c3p0 RCE)? Patch plans for 3.33.x?#4049
@sofferm

Description

@sofferm
sofferm
opened on Mar 2, 2026

Hi,

I would like to ask whether mapfish-print is affected by CVE-2026-27830 related to c3p0.

According to the following write-up, certain c3p0 configurations may allow remote code execution:
https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal/

From my understanding, the exploit involves unsafe deserialization in c3p0. Since mapfish-print processes user-controlled print requests, I would like to clarify:

  1. Is mapfish-print exploitable via CVE-2026-27830 in any supported configuration?
  2. Are there specific configuration constraints that prevent exploitation?
  3. If affected, are patch releases planned for older releases, particularly 3.33.7?

I noticed that the c3p0 dependency has already been updated on master via:
#4027

It would be helpful to understand:

  • Whether upgrading to a newer minor/major release is required
  • Or whether a backport to 3.33.x is planned

Thank you for your work and clarification.

Best regards
Stefan

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions