CIB seven 2.1.7 EE - Release Notes

Release Date: July 7, 2026

Highlights

  • Security 23 CVEs resolved: two Critical in Apache tomcat (10.1.55); eight High across tomcat, jackson, postgresql, and openjdk17; eight Medium in curl/libcurl and openjdk17; five Low in curl/libcurl and openjdk17
  • Search (EE exclusive) Comma-separated process instance IDs now accepted in the “Id in” batch operation filter

New Features

Batch Operations (EE exclusive)

  • Comma-separated process instance IDs are now accepted in the “Id in” search filter, restoring parity with previous behavior

Technical Updates

Dependency Updates

  • Update Spring Boot from 3.5.14 to 3.5.15
  • Update spring-boot-4 (run4) from 4.0.6 to 4.0.7
  • Update jackson (jackson-core, jackson-databind) from 2.21.2 to 2.21.4
  • Update tomcat from 10.1.54 to 10.1.55
  • Update org.postgresql:postgresql from 42.5.5 to 42.7.11
  • Update curl (libcurl) from 8.17.0-r1 to 8.19.0-r0 (Alpine base image)
  • Update openjdk17 (openjdk17-jre-headless) from 17.0.18_p8-r0 to 17.0.19_p10-r0 (Alpine base image)

Resolved CVE Vulnerabilities

Critical Severity

  • CVE-2026-41293 - Improper Input Validation in Apache Tomcat 10.1.54 allowing potential remote exploitation. Fixed in 10.1.55.
  • CVE-2026-43512 - Authentication bypass in digest authentication in Apache Tomcat 10.1.54. Fixed in 10.1.55.

High Severity

  • CVE-2026-41284 - Allocation of resources without limits in Apache Tomcat 10.1.54, leading to Denial of Service. Fixed in 10.1.55.
  • CVE-2026-42498 - HTTP Authentication header exposed to unexpected hosts during WebSocket upgrade in Apache Tomcat 10.1.54. Fixed in 10.1.55.
  • CVE-2026-43513 - Case sensitivity bypass in LockOutRealm in Apache Tomcat 10.1.54 allowing lockout evasion. Fixed in 10.1.55.
  • CVE-2026-22016 - CVSS 7.5. Easily exploitable vulnerability in Oracle Java SE JAXP (openjdk17 17.0.18) allowing unauthenticated network attackers to read all accessible data. Fixed in 17.0.19_p10-r0.
  • CVE-2026-34282 - CVSS 7.5. Easily exploitable vulnerability in Oracle Java SE Networking (openjdk17 17.0.18) allowing unauthenticated network attackers to cause a complete Denial of Service. Fixed in 17.0.19_p10-r0.
  • CVE-2026-42198 - Client-side Denial of Service in org.postgresql:postgresql 42.5.5 via a malicious server instructing unbounded PBKDF2 CPU work during SCRAM-SHA-256 authentication. Fixed in 42.7.11.
  • CVE-2026-54512 - Vulnerability in com.fasterxml.jackson.core:jackson-databind 2.21.2, fixed by upgrading to 2.21.4.
  • CVE-2026-54513 - Vulnerability in com.fasterxml.jackson.core:jackson-core 2.21.2, fixed by upgrading to 2.21.4.

Medium Severity

  • CVE-2026-1965 - libcurl wrongfully reuses a Negotiate-authenticated connection for a request using different credentials, sending it as the first user. Fixed in 8.19.0-r0.
  • CVE-2026-3783 - curl leaks an OAuth2 bearer token to a redirect target hostname when a .netrc entry exists for that host. Fixed in 8.19.0-r0.
  • CVE-2026-3784 - curl wrongfully reuses an existing HTTP proxy CONNECT connection when the new request uses different proxy credentials. Fixed in 8.19.0-r0.
  • CVE-2026-3805 - Use-after-free in curl when performing a second SMB request to the same host. Fixed in 8.19.0-r0.
  • CVE-2025-14017 - libcurl multi-threaded LDAPS transfers inadvertently change TLS options globally, potentially disabling certificate verification for concurrent transfers. Fixed in 8.19.0-r0.
  • CVE-2026-22013 - CVSS 5.3. Difficult to exploit vulnerability in Oracle Java SE JGSS (openjdk17 17.0.18) allowing unauthorized access to critical data with human interaction. Fixed in 17.0.19_p10-r0.
  • CVE-2026-22021 - CVSS 5.3. Easily exploitable vulnerability in Oracle Java SE JSSE (openjdk17 17.0.18) allowing partial Denial of Service via HTTPS. Fixed in 17.0.19_p10-r0.
  • CVE-2026-23865 - Integer overflow in FreeType (bundled with openjdk17 17.0.18) when parsing OpenType variable font tables, leading to out-of-bounds read. Fixed in 17.0.19_p10-r0.

Low Severity

  • CVE-2025-14524 - curl wrongly passes an OAuth2 bearer token on cross-protocol redirect to IMAP, LDAP, POP3, or SMTP. Fixed in 8.19.0-r0.
  • CVE-2025-14819 - libcurl may reuse a CA store cached with a reversed CURLSSLOPT_NO_PARTIALCHAIN option, accepting a trust chain that should otherwise be rejected. Fixed in 8.19.0-r0.
  • CVE-2026-22007 - CVSS 2.9. Difficult to exploit vulnerability in Oracle Java SE Security (openjdk17 17.0.18) allowing unauthorized read of a subset of data via local access. Fixed in 17.0.19_p10-r0.
  • CVE-2026-22018 - CVSS 3.7. Difficult to exploit vulnerability in Oracle Java SE Libraries (openjdk17 17.0.18) allowing partial Denial of Service via network. Fixed in 17.0.19_p10-r0.
  • CVE-2026-34268 - CVSS 2.9. Difficult to exploit vulnerability in Oracle Java SE Security (openjdk17 17.0.18) allowing unauthorized read of a subset of data via local access. Fixed in 17.0.19_p10-r0.

On this Page: