REST API returns 404 for non-admin users on workspace/layer endpoints since 2.25.6

GeoServer GeoServer User
,
1

REST API returns 404 for non-admin users on workspace/layer endpoints since 2.25.6

Summary

Non-admin authenticated users with a custom read role receive a 404 “No such workspace found” response when accessing workspace or layer endpoints via the REST API. The same request succeeds with admin credentials. This regression was introduced in GeoServer 2.25.6 and is present in all subsequent versions tested.

Environment

  • GeoServer versions tested: 2.25.2, 2.25.5, 2.25.6, 2.25.7, 2.26.4, 2.27.1, 2.27.2, 2.28.2

  • Deployment: Docker (docker.osgeo.org/geoserver)

  • Authentication: Local XML-based user/group service (default)

  • Java: 17

Steps to Reproduce

Security configuration

security/layers.properties:

mode=HIDE
*.*.r=*
simcelt.*.r=Read,ROLE_AUTHENTICATED,GROUP_ADMIN,ADMIN

security/rest.properties:

/**;GET=Read
/**;POST,DELETE,PUT=ADMIN

security/role/default/roles.xml (relevant excerpt):

<roleList>
    <role id="ADMIN"/>
    <role id="Read"/>
</roleList>
<userList>
    <userRoles username="marin2">
        <roleRef roleID="Read"/>
    </userRoles>
</userList>

Test request

curl -u marin2:<password> http://localhost:8080/geoserver/rest/workspaces/simcelt.json

Expected Result

HTTP 200 with workspace details, since:

  • marin2 is authenticated with the Read role

  • rest.properties grants GET access to the Read role

  • layers.properties grants read access to the Read role on the simcelt workspace

  • *.*.r=* grants global read access to all users

Actual Result

HTTP 404 - No such workspace: 'simcelt' found

The same request with admin credentials returns HTTP 200 with the expected workspace details.

Version Matrix

Version Result Notes
2.25.2 :white_check_mark: 200 OK Works correctly
2.25.5 :white_check_mark: 200 OK Works correctly
2.25.6 :cross_mark: 404 First broken version
2.25.7 :cross_mark: 404 Broken
2.26.4 :cross_mark: 404 Broken
2.27.1 :cross_mark: 404 Broken
2.27.2 :cross_mark: 404 Broken
2.28.2 :cross_mark: 404 Broken

Root Cause Hypothesis

The regression was introduced in 2.25.6, which is the first release containing the fix for CVE-2025-58360 (XXE vulnerability in WMS GetMap endpoint). It is suspected that the XXE security fix inadvertently tightened access control in a way that causes the REST API to apply catalog HIDE mode filtering to non-admin users regardless of their assigned roles and the configured layers.properties rules.

Note: CVE-2025-30220 (XXE in WFS, fixed in 2.25.7/2.26.3/2.27.1) is also present in the broken version range, but since 2.25.6 is already broken, CVE-2025-58360’s fix is the more likely culprit.

Additional Notes

  • Changing rest.properties to use IS_AUTHENTICATED_FULLY instead of the custom Read role does not resolve the issue — the 404 persists, confirming this is not a rest.properties role matching problem.

  • The behavior is consistent with HIDE catalog mode being incorrectly applied to REST API responses for non-admin users, treating inaccessible resources as non-existent rather than returning a proper 403.

  • Admin users are unaffected and receive correct 200 responses.

  • This issue effectively makes it impossible to run a patched/secure GeoServer instance that allows non-admin REST API access, forcing a choice between security (CVE patches) and functionality (non-admin REST access).

Related Issues

  • GEOS-12059: REST API appears to only evaluate local role service for LDAP users (related but distinct issue)