CIB seven 2.1.7 EE - Release Notes
Release Date: July 7, 2026
Highlights
- Security 23 CVEs resolved: two Critical in Apache
tomcat(10.1.55); eight High acrosstomcat,jackson,postgresql, andopenjdk17; eight Medium incurl/libcurlandopenjdk17; five Low incurl/libcurlandopenjdk17 - Search (EE exclusive) Comma-separated process instance IDs now accepted in the “Id in” batch operation filter
New Features
Batch Operations (EE exclusive)
- Comma-separated process instance IDs are now accepted in the “Id in” search filter, restoring parity with previous behavior
Technical Updates
Dependency Updates
- Update
Spring Bootfrom3.5.14to3.5.15 - Update
spring-boot-4(run4) from4.0.6to4.0.7 - Update
jackson(jackson-core,jackson-databind) from2.21.2to2.21.4 - Update
tomcatfrom10.1.54to10.1.55 - Update
org.postgresql:postgresqlfrom42.5.5to42.7.11 - Update
curl(libcurl) from8.17.0-r1to8.19.0-r0(Alpine base image) - Update
openjdk17(openjdk17-jre-headless) from17.0.18_p8-r0to17.0.19_p10-r0(Alpine base image)
Resolved CVE Vulnerabilities
Critical Severity
- CVE-2026-41293 - Improper Input Validation in Apache Tomcat
10.1.54allowing potential remote exploitation. Fixed in10.1.55. - CVE-2026-43512 - Authentication bypass in digest authentication in Apache Tomcat
10.1.54. Fixed in10.1.55.
High Severity
- CVE-2026-41284 - Allocation of resources without limits in Apache Tomcat
10.1.54, leading to Denial of Service. Fixed in10.1.55. - CVE-2026-42498 - HTTP Authentication header exposed to unexpected hosts during WebSocket upgrade in Apache Tomcat
10.1.54. Fixed in10.1.55. - CVE-2026-43513 - Case sensitivity bypass in
LockOutRealmin Apache Tomcat10.1.54allowing lockout evasion. Fixed in10.1.55. - CVE-2026-22016 - CVSS 7.5. Easily exploitable vulnerability in Oracle Java SE JAXP (
openjdk1717.0.18) allowing unauthenticated network attackers to read all accessible data. Fixed in17.0.19_p10-r0. - CVE-2026-34282 - CVSS 7.5. Easily exploitable vulnerability in Oracle Java SE Networking (
openjdk1717.0.18) allowing unauthenticated network attackers to cause a complete Denial of Service. Fixed in17.0.19_p10-r0. - CVE-2026-42198 - Client-side Denial of Service in
org.postgresql:postgresql42.5.5via a malicious server instructing unbounded PBKDF2 CPU work during SCRAM-SHA-256 authentication. Fixed in42.7.11. - CVE-2026-54512 - Vulnerability in
com.fasterxml.jackson.core:jackson-databind2.21.2, fixed by upgrading to2.21.4. - CVE-2026-54513 - Vulnerability in
com.fasterxml.jackson.core:jackson-core2.21.2, fixed by upgrading to2.21.4.
Medium Severity
- CVE-2026-1965 -
libcurlwrongfully reuses a Negotiate-authenticated connection for a request using different credentials, sending it as the first user. Fixed in8.19.0-r0. - CVE-2026-3783 -
curlleaks an OAuth2 bearer token to a redirect target hostname when a.netrcentry exists for that host. Fixed in8.19.0-r0. - CVE-2026-3784 -
curlwrongfully reuses an existing HTTP proxy CONNECT connection when the new request uses different proxy credentials. Fixed in8.19.0-r0. - CVE-2026-3805 - Use-after-free in
curlwhen performing a second SMB request to the same host. Fixed in8.19.0-r0. - CVE-2025-14017 -
libcurlmulti-threaded LDAPS transfers inadvertently change TLS options globally, potentially disabling certificate verification for concurrent transfers. Fixed in8.19.0-r0. - CVE-2026-22013 - CVSS 5.3. Difficult to exploit vulnerability in Oracle Java SE JGSS (
openjdk1717.0.18) allowing unauthorized access to critical data with human interaction. Fixed in17.0.19_p10-r0. - CVE-2026-22021 - CVSS 5.3. Easily exploitable vulnerability in Oracle Java SE JSSE (
openjdk1717.0.18) allowing partial Denial of Service via HTTPS. Fixed in17.0.19_p10-r0. - CVE-2026-23865 - Integer overflow in FreeType (bundled with
openjdk1717.0.18) when parsing OpenType variable font tables, leading to out-of-bounds read. Fixed in17.0.19_p10-r0.
Low Severity
- CVE-2025-14524 -
curlwrongly passes an OAuth2 bearer token on cross-protocol redirect to IMAP, LDAP, POP3, or SMTP. Fixed in8.19.0-r0. - CVE-2025-14819 -
libcurlmay reuse a CA store cached with a reversedCURLSSLOPT_NO_PARTIALCHAINoption, accepting a trust chain that should otherwise be rejected. Fixed in8.19.0-r0. - CVE-2026-22007 - CVSS 2.9. Difficult to exploit vulnerability in Oracle Java SE Security (
openjdk1717.0.18) allowing unauthorized read of a subset of data via local access. Fixed in17.0.19_p10-r0. - CVE-2026-22018 - CVSS 3.7. Difficult to exploit vulnerability in Oracle Java SE Libraries (
openjdk1717.0.18) allowing partial Denial of Service via network. Fixed in17.0.19_p10-r0. - CVE-2026-34268 - CVSS 2.9. Difficult to exploit vulnerability in Oracle Java SE Security (
openjdk1717.0.18) allowing unauthorized read of a subset of data via local access. Fixed in17.0.19_p10-r0.