Security Advisory - Published 2026-06-16 - Metacat Data Repository

Metacat CVE-2026-48114: check 2.x deployments and old harvester exposure

CVE-2026-48114 affects Metacat 2.x deployments through 2.19.1. The project advisory points to an unauthenticated SQL injection in the legacy harvester registration path. Metacat 3.0.0 and newer removed the affected package, so the practical fix is an upgrade to a supported 3.x release.

Defensive scope: this page is for repository operators and approved incident responders. It does not publish SQL payloads, endpoint request examples, or unauthorized database testing steps.

Who is affected

ProductMetacat Java Servlet application
CVECVE-2026-48114
Affected versionsMetacat 2.x through 2.19.1
Patched versionsMetacat 3.0.0 or newer; the advisory recommends a current supported 3.x release
Main review areaLegacy 1.x API servlet exposure, PostgreSQL activity, repository records, and authentication/session data

Version and servlet check

  • Record the Metacat version from the deployed WAR, package metadata, admin page, or deployment notes.
  • Check Tomcat or application configuration for legacy harvester, data provider, and harvester registration servlet mappings.
  • Confirm whether those paths are reachable from the public internet, partner networks, or shared research networks.
  • Preserve the current `web.xml`, reverse proxy config, and deployment timestamp before making changes.

PostgreSQL and application review

rg -n "harvester|harvesterRegistration|HARVEST_SITE_SCHEDULE|SQLException|syntax error|Statement" logs/ 2>nul
rg -n "harvester|dataProvider|HarvesterServlet|HarvesterRegistration" conf/ webapps/ 2>nul

A clean review has no unexpected harvester registration activity, no PostgreSQL errors tied to public requests, no unfamiliar repository records, and no changes to database users, application credentials, session storage, or repository metadata that cannot be tied to approved work.

What to preserve before cleanup

  • Tomcat, Apache, Nginx, load balancer, and application logs covering the disclosure window.
  • PostgreSQL logs and audit records if query logging or database auditing is enabled.
  • Deployment manifests, WAR checksums, container image digests, and config files.
  • Recent changes to repository metadata, user accounts, session tables, and scheduled jobs.

Safe fix path

  1. Plan an upgrade to Metacat 3.x, preferably the current supported release, instead of trying to keep a vulnerable 2.x branch online.
  2. If immediate upgrade is blocked, restrict or disable legacy harvester and related 1.x API servlet exposure at the application and reverse-proxy layer.
  3. Limit public access while the review is open, especially for deployments that contain sensitive research metadata or credentials.
  4. Rotate database and application credentials if logs show suspicious requests or if SQL activity cannot be explained.
  5. After upgrade, verify repository search, metadata submission, authentication, scheduled jobs, and partner integrations.

When to request repair help

Use Ping7 CVE Repair if Metacat 2.x is still public, legacy servlet exposure is unclear, PostgreSQL logs show suspicious errors, or repository records changed unexpectedly. Include the Metacat version, servlet container, database type, public URL scope, and first suspicious timestamp.

References