HarborGuard / CVE
Back to search
CRITICALCVE-2026-44672Published Modified CNA GitHub_M

CVE-2026-44672: mapfish-print: Remote Code Injection (RCE) in Dynamic table

mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Remote code execution (RCE) vulnerability in mapfish-print, a cartographic map-printing component of the MapFish framework. The flaw is reachable over the network with no authentication required, through the Dynamic table feature, and allows an attacker to execute arbitrary code on the host running the affected service. Patched versions (3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3) have been published, and patched-image rebuilds are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle mapfish-print directly. Coverage spans all four affected package coordinates (mapfish/mapfish-print, camptocamp/mapfish_print, org.mapfish/print.print-lib, and org.mapfish/print.print-servlet).

Available
Triage

HarborGuard scores this finding at CVSS 9.3 Critical (v4.0) and weights it against each environment's compliance policy to determine breach-threshold severity. Findings that cross a customer's defined threshold are routed automatically to the appropriate team inbox for that organization.

Available
Patch

Patched-image rebuilds at the upstream fix versions (3.28.28, 3.30.30, 3.31.22, 3.33.14, or 4.0.3, depending on the installed branch) are available on HarborGuard for any environment running an affected release. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against the affected workload automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to reach the mapfish-print service via HTTP/HTTPS to trigger the flaw.

  • AuthenticationNot required

    No account or credential of any privilege level is needed; the Dynamic table code-injection path is fully unauthenticated.

  • Victim interactionNot required

    The attacker sends a crafted request directly to the service; no user action or social engineering is involved.

  • Attack complexityDetail

    Exploit reliability is high and condition-free: no race conditions, special memory layout, or environmental prerequisites are required (AC:L, AT:N).

Blast Radius

  • Attacker executes arbitrary code in the context of the mapfish-print service process, gaining the same OS-level permissions as that process.
  • All data accessible to the service process (map templates, print job data, local filesystem paths) is readable by the attacker.
  • The attacker can write or modify files and configuration accessible to the process, potentially corrupting print output or planting persistent payloads.
  • The service itself can be crashed or monopolized, denying legitimate map-printing functionality to dependent applications.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image containing an affected mapfish-print coordinate across all four package namespaces. Because upstream fix versions are published, patched-image rebuilds are available immediately for environments pinned to an affected release branch. For customers who opt into auto-remediation, HarborGuard targets a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues: the image is rebuilt at the appropriate fix version, a regression run is executed, and a PR is opened against affected workloads. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the findings dashboard pending sign-off. Given the unauthenticated, network-reachable nature of this RCE, customers who cannot immediately upgrade are advised to apply network-policy isolation to restrict inbound access to mapfish-print endpoints to trusted source addresses only until a patched image is deployed.

See how HarborGuard automates this

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
4
Affected packages
  • mapfish / mapfish-print
    >= 3.23.0, < 3.28.28 · >= 3.29.0, < 3.30.30 · >= 3.31.0, < 3.31.21 · >= 3.32.0, < 3.33.14 · >= 3.34.0, < 4.0.3
  • camptocamp / mapfish_print
    >= 3.23.0, < 3.28.28 · >= 3.29.0, < 3.30.30 · >= 3.31.0, < 3.31.21 · >= 3.32.0, < 3.33.14 · >= 3.34.0, < 4.0.3
  • org.mapfish / print.print-lib
    >= 3.23.0, < 3.28.28 · >= 3.29.0, < 3.30.30 · >= 3.31.0, < 3.31.21 · >= 3.32.0, < 3.33.14 · >= 3.34.0, < 4.0.3
  • org.mapfish / print.print-servlet
    >= 3.23.0, < 3.28.28 · >= 3.29.0, < 3.30.30 · >= 3.31.0, < 3.31.21 · >= 3.32.0, < 3.33.14 · >= 3.34.0, < 4.0.3
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References