CIB seven 2.2.1 EE - Release Notes
Release Date: July 7, 2026
Highlights
- Security Multiple CVEs resolved:
jacksonupgraded from2.21.2to2.21.4(CVE-2026-54512,CVE-2026-54513);openssl(libcrypto3,libssl3) updated to3.5.7-r0(Alpine base image) resolving 15 CVEs;nettyupdated in WildFly distribution resolving 7 CVEs; SQL injectionCVE-2026-55405fixed inlangchain4j-pgvector - Modeler Released
cibseven-modeler1.1.0andcibseven-modeler-ee1.1.0with multi-file import and deployment, new extensibility points, accessibility improvements, and major stability fixes - BPMN AI Agent (EE exclusive) AI agent now supports generating and previewing embedded and Camunda Forms; improved BPMN editing tools and system prompt
- LDAP Configurable authentication cache and improved login behavior for large directories
- Connect HTTP/SOAP connect connectors and element templates now ship with
runandrun4distributions - OAuth2 Authentication with assertion (JWT client authentication) now supported
- Batch Operations (EE exclusive) Fixed due date handling and added comma-separated process instance ID input support
- Migration (EE exclusive) Fixed broken navigation links in the migration tool
New Features
HTTP/SOAP Connect Connectors in run/run4
- The
http-clientandsoap-http-clientmodules are now included in therunandrun4distributions underconfiguration/userlib/ - Element templates for both connectors are bundled inside the connector JARs and are immediately available in the Modeler
LDAP Configurable Cache
- LDAP authentication now supports a configurable cache to reduce redundant directory lookups and improve performance under load
- Cache parameters are configurable in the distribution YAML configuration files
OAuth2 Authentication with Assertion
- OAuth2 identity provider now supports authentication with assertion, enabling JWT-based client authentication and token exchange flows
- New SSO properties for assertion-based authentication are available in the distribution configuration files
Process Instance Filter in Historic Activity Statistics
- The process instance filter in the BPMN viewer is now applied to historic activity statistics, making heat-map counts consistent with the active filter selection
BPMN AI Agent Enhancements (EE exclusive)
- AI agent now supports generating and previewing embedded and Camunda Forms directly in the chat panel
- Replaced
replaceXmlElementwith an atomic batchpatchXmltool for more reliable and precise BPMN diagram editing - Agent no longer forces the diff/review view when it only asks a clarifying question — layout adapts to the response type
- System prompt improvements for more accurate and efficient BPMN editing
Batch Operations (EE exclusive)
- Comma-separated process instance IDs are now accepted in the “Id in” search filter, restoring parity with previous behavior
Modeler Enhancements (cibseven-modeler 1.1.0)
Multi-file Import & Deployment
- Import multiple BPMN, DMN, and Form files in a single operation
- Drag and drop support for bulk file imports with conflict handling
- Deploy multiple files at once; deploy BPMN processes together with selected forms
- Download diagrams directly from the start page
Extensibility
- New plugin extension point for custom integrations
- New chat extension point with configurable chat transport
- Support for grouped element-template scopes
- Graceful fallback when the Modeler is deployed without a configured database
User Interface
- Close all tabs in one click with unsaved-changes protection
- Middle-click tab closing (standard browser behavior)
- Optional “Skip creation dialog” preference to streamline diagram and form creation
- Collapsible Properties/Chat side panel
- Improved Properties Panel resizing
- Toast notifications with process start redirection
- Element-template icon rendering improvements in the BPMN modeler
- Improved element template search and better handling of template grouping
- Refreshed modeler user interface
- Focus management for creation dialogs — inputs are focused automatically on open
- Default task type markers remain visible alongside applied element-template icons
Accessibility
- Added accessible labels and modal names throughout the Modeler
- Live region announcements for screen readers
- Added accessible labels on icon-only EE controls: compare, chat options, and diff viewer (EE exclusive)
Modeler EE (EE exclusive)
- Updated Modeler EE user interface
- Diagram diff failures are now surfaced with a localized error message instead of failing silently
User Experience Improvements in Web Client
LDAP
- LDAP user
objectClassis now configurable, allowing flexible directory schemas - LDAP login now performs a targeted node lookup instead of a full directory search, reducing load on the directory server
- LDAP authentication no longer fails when the display name attribute is not configured for a user
Tasklist
- Tasks from inactive process instances are no longer shown in the task list
- Search query length limit removed from the task search field, allowing queries longer than 50 characters
Forms
- Improved error handling for embedded forms and deployed form routes with user-friendly error messages
- Error messages are available in multiple languages
BPMN AI Agent Chat (EE exclusive)
- Improved BPMN diff output in the agent response for clearer change visualization
- Session refresh now works correctly after reconnection
- Improved license-missing UX in the chat panel: replaced the robot avatar with an error icon and applied danger-themed styling; lint quick-action bar is now hidden when a license is required
- Chat error banner now clears automatically when the connection recovers
Migration Tool (EE exclusive)
- Fixed broken links to source and target process definitions in steps 4 and 5 of the migration workflow
- Added link icons, tooltips, and a responsive layout to the migration confirmation view
Bug Fixes
Authorization
- Fixed permission selector behaving inconsistently during authorization creation
- Fixed authorization deletion and editing failing with a 404 error (null ID)
- Fixed authorization responses not handled correctly after creation
Process Definitions
- Fixed process definition versions not ordered by version descending
- Fixed incorrect process instance counter after deleting a process definition version
Multi-Engine
- Fixed an error occurring when no default engine is configured
- Fixed rendered forms not being routed to the user’s engine in a multi-engine setup
Direct Provider
- Fixed authorization checks not being applied in DirectProvider
Modeler
- Fixed the Modeler edit-lock:
/session/closenow validates the lock owner before allowing a session to be closed - Fixed
/session/checkleaking the session ID to unauthorized callers - Hardened diagram XML parsing against XXE (XML External Entity) injection
- Fixed
checkCorrectTabcrashing on the dashboard when no active tab is present - Fixed duplicate diagram and form ID validation — live check during creation and a save backstop
- Fixed
openDiagramreturning-1after creating a new tab - Fixed batch import “replace unsaved tab” returning no value
- Fixed tab resolution and DMN import key fallback issues
- Fixed large number of open tabs causing display issues
- Fixed console and visualization errors when a referenced template is not available
- Fixed gap in the footer for forms and DMN diagrams
- Fixed Modeler accessible via direct URL even when disabled in
application.yaml - Fixed template search crashes in the element-template chooser
- Fixed form save detection not triggering correctly in the Modeler
- CSS fixes in the Properties Panel
- Fixed layout and toolbar rendering issues in the diagram editor
- Monaco editor stability improvements and autocomplete fixes
- Improved DMN editor stability
- Fixed edit-lock not released reliably on tab close failure and SPA unmount (EE exclusive)
- Fixed missing session ID not guarded, which could cause orphaned edit locks (EE exclusive)
- Fixed Modeler EE failing to load in Firefox (EE exclusive)
BPMN AI Agent Chat (EE exclusive)
- Fixed
toolSideEffectsnot rendering correctly when the list contains multiple entries - Fixed
createSessionHookstoring the session ID without validating the server response - Fixed agent chat localStorage history: resolved storage limit overflow, introduced a unified prefix, enabled shared history across all browser tabs, and restored the last chat on open
- Fixed old
camundaHistoryLevelproperty not handled correctly in middleware-ee - Fixed validation error messages in agent chat translations; removed unreliable retry logic in
useAgentChat - Fixed license permission check in the web client
- Fixed unguarded DOM/registry access in BPMN filter: guard against missing graphics registry and non-rectangular shapes
- Fixed WebSocket path for the chat panel not derived correctly from the configured services base URL (EE exclusive)
Batch Operations (EE exclusive)
- Fixed due date drifting by UTC offset when editing batch operation due dates
- Fixed selected due date not preserved correctly in the batch operation payload
- Fixed time selector behaving unexpectedly when entering numbers via keyboard
Backend
- Fixed
HistoricStatisticsOrQuery logic in the process instance filter - Fixed
withoutTenantIdflag not set correctly in tenant ID queries
Technical Updates
Dependency Updates
- Update
Spring Bootfrom3.5.14to3.5.15 - Update
spring-boot-4(run4) from4.0.6to4.0.7 - Update
jackson(jackson-core,jackson-databind) from2.21.2to2.21.4 - Update
wildflyfrom40.0.0.Finalto40.0.1.Final - Update
nettyfrom4.1.133.Finalto4.1.135.Final(WildFly distribution, viawildflyupgrade) - Update
openssl(libcrypto3,libssl3) from3.5.6-r0to3.5.7-r0(Alpine base image) - Update
langchain4j(langchain4j-pgvector) from1.14.1-beta24to1.16.3-beta26 - Update
cibseven-modelerto1.1.0 - Update
cibseven-modeler-eeto1.1.0(EE exclusive) - Update
@cib/common-frontendto1.0.4
Resolved CVE Vulnerabilities
High Severity
- CVE-2026-45447 - Use-after-free in
openssl(libcrypto3,libssl3) during PKCS#7 signature verification when processing a signed message with an emptydigestAlgorithmsSET, potentially enabling heap corruption or remote code execution. Fixed in3.5.7-r0(Alpine base image). - CVE-2026-54512 - Vulnerability in
com.fasterxml.jackson.core:jackson-databind2.21.2, fixed by upgrading to2.21.4. - CVE-2026-54513 - Vulnerability in
com.fasterxml.jackson.core:jackson-core2.21.2, fixed by upgrading to2.21.4. - CVE-2026-55405 - SQL injection in
dev.langchain4j:langchain4j-pgvectorvia unescaped metadata filter keys inEmbeddingSearchRequest.filter(), enabling blind data exfiltration or row deletion when attacker-controlled filter keys reach the embedding store. Fixed in1.16.3-beta26. - CVE-2026-44249 - IPv6 subnet rule bypass in
io.netty:netty-handlerIpSubnetFilterRuledue to incorrect masking, allowing public IPs to bypass access controls. Fixed innetty4.1.135.Final(WildFly distribution). - CVE-2026-45416 - Unbounded heap allocation in
io.netty:netty-handlerSslClientHelloHandlerfor oversized TLS ClientHello messages whenSniHandlerconstructors disable the length guard and timeout. Fixed innetty4.1.135.Final(WildFly distribution). - CVE-2026-45674 - DNS cache poisoning via CNAME bailiwick bypass in
io.netty:netty-resolver-dns, allowing a compromised authoritative server to inject records for parent domains. Fixed innetty4.1.135.Final(WildFly distribution). - CVE-2026-47691 - DNS cache poisoning via NS bailiwick bypass in
io.netty:netty-resolver-dns, allowing a subdomain-authoritative server to poison the cache for parent zones. Fixed innetty4.1.135.Final(WildFly distribution).
Medium Severity
- CVE-2026-34182 - Insufficient validation of cipher and tag length fields in
opensslCMSAuthEnvelopedDataprocessing, allowing an on-path attacker to achieve key-equivalent functionality or bypass integrity validation. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-34183 - Unbounded memory allocation in
opensslQUIC stack via maliciousPATH_CHALLENGEframes, leading to Denial of Service. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-42764 - NULL pointer dereference in
opensslQUIC server when receiving an initial packet with an invalid token and address validation disabled, causing Denial of Service. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-45445 - Application-supplied IV silently discarded in
opensslAES-OCB viaEVP_Cipher()one-shot interface, causing nonce reuse, loss of confidentiality, and universal authentication tag forgery. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-45536 - File descriptor leak in
io.netty:netty-transport-native-epollwhen a peer sends aSCM_RIGHTScmsg carrying two file descriptors, bypassing the single-fd check. Fixed innetty4.1.135.Final(WildFly distribution). - CVE-2026-45673 - DNS cache poisoning via predictable transaction IDs and static UDP source port in
io.netty:netty-resolver-dns, reducing entropy for Kaminsky-style attacks. Fixed innetty4.1.135.Final(WildFly distribution). - CVE-2026-47244 - No default
SETTINGS_MAX_CONCURRENT_STREAMSenforcement inio.netty:netty-codec-http2, allowing a single connection to open an unbounded number of streams and cause Denial of Service. Fixed innetty4.1.135.Final(WildFly distribution).
Low Severity
- CVE-2026-34180 - Heap buffer over-read in
opensslASN.1 decoder when parsing a crafted DER-encoded structure with a primitive element exceeding 2 GB, potentially causing a crash on 64-bit Unix platforms. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-34181 - Insufficient PBMAC1 integrity validation in
opensslPKCS#12 processing, giving an attacker a 1-in-256 chance of having a forged certificate and private key accepted. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-42766 - NULL pointer dereference in
opensslCMS password-based decryption when the optionalkeyDerivationAlgorithmfield is absent, causing Denial of Service. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-42767 - NULL pointer dereference in
opensslCMP client when processing a crafted server response with a missing algorithm parameters field in anEncryptedValue, causing Denial of Service. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-42768 -
CMS_decrypt()andPKCS7_decrypt()inopensslvulnerable to a Bleichenbacher-style adaptive chosen-ciphertext attack when the attacker can supply CMS messages and observe error codes or decryption output. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-42769 - CMP root CA key update verification rendered ineffectual in
openssldue to a certificate chain building typo, potentially allowing a Registration Authority to substitute an arbitrary root CA. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-42770 - DHX (X9.42) subgroup membership check in
openssluses the peer’sqparameter instead of the local key’s, enabling small-subgroup private key recovery (Lim-Lee attack). Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-45446 - AES-SIV and AES-GCM-SIV in
opensslfail to recompute the expected authentication tag when decrypting with an empty ciphertext, allowing universal message forgery via the all-zeros tag. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-7383 - Signed integer overflow in
opensslASN1_mbstring_ncopy()when computing the Unicode output buffer size for large inputs, potentially leading to heap buffer overflow. Fixed inopenssl3.5.7-r0(Alpine base image). - CVE-2026-9076 - Heap out-of-bounds read in
opensslCMS PWRI key unwrap when an attacker-chosen stream-mode KEK cipher bypasses the block-size guard inkek_unwrap_key(), potentially causing Denial of Service. Fixed inopenssl3.5.7-r0(Alpine base image).