Security Advisory - Published 2026-06-16 - Metacat Data Repository
Metacat CVE-2026-48114: check 2.x deployments and old harvester exposure
CVE-2026-48114 affects Metacat 2.x deployments through 2.19.1. The project advisory points to an unauthenticated SQL injection in the legacy harvester registration path. Metacat 3.0.0 and newer removed the affected package, so the practical fix is an upgrade to a supported 3.x release.
Who is affected
| Product | Metacat Java Servlet application |
|---|---|
| CVE | CVE-2026-48114 |
| Affected versions | Metacat 2.x through 2.19.1 |
| Patched versions | Metacat 3.0.0 or newer; the advisory recommends a current supported 3.x release |
| Main review area | Legacy 1.x API servlet exposure, PostgreSQL activity, repository records, and authentication/session data |
Version and servlet check
- Record the Metacat version from the deployed WAR, package metadata, admin page, or deployment notes.
- Check Tomcat or application configuration for legacy harvester, data provider, and harvester registration servlet mappings.
- Confirm whether those paths are reachable from the public internet, partner networks, or shared research networks.
- Preserve the current `web.xml`, reverse proxy config, and deployment timestamp before making changes.
PostgreSQL and application review
rg -n "harvester|harvesterRegistration|HARVEST_SITE_SCHEDULE|SQLException|syntax error|Statement" logs/ 2>nul
rg -n "harvester|dataProvider|HarvesterServlet|HarvesterRegistration" conf/ webapps/ 2>nul A clean review has no unexpected harvester registration activity, no PostgreSQL errors tied to public requests, no unfamiliar repository records, and no changes to database users, application credentials, session storage, or repository metadata that cannot be tied to approved work.
What to preserve before cleanup
- Tomcat, Apache, Nginx, load balancer, and application logs covering the disclosure window.
- PostgreSQL logs and audit records if query logging or database auditing is enabled.
- Deployment manifests, WAR checksums, container image digests, and config files.
- Recent changes to repository metadata, user accounts, session tables, and scheduled jobs.
Safe fix path
- Plan an upgrade to Metacat 3.x, preferably the current supported release, instead of trying to keep a vulnerable 2.x branch online.
- If immediate upgrade is blocked, restrict or disable legacy harvester and related 1.x API servlet exposure at the application and reverse-proxy layer.
- Limit public access while the review is open, especially for deployments that contain sensitive research metadata or credentials.
- Rotate database and application credentials if logs show suspicious requests or if SQL activity cannot be explained.
- After upgrade, verify repository search, metadata submission, authentication, scheduled jobs, and partner integrations.
When to request repair help
Use Ping7 CVE Repair if Metacat 2.x is still public, legacy servlet exposure is unclear, PostgreSQL logs show suspicious errors, or repository records changed unexpectedly. Include the Metacat version, servlet container, database type, public URL scope, and first suspicious timestamp.