CIB seven 2.2.1 EE - Release Notes

Release Date: July 7, 2026

Highlights

  • Security Multiple CVEs resolved: jackson upgraded from 2.21.2 to 2.21.4 (CVE-2026-54512, CVE-2026-54513); openssl (libcrypto3, libssl3) updated to 3.5.7-r0 (Alpine base image) resolving 15 CVEs; netty updated in WildFly distribution resolving 7 CVEs; SQL injection CVE-2026-55405 fixed in langchain4j-pgvector
  • Modeler Released cibseven-modeler 1.1.0 and cibseven-modeler-ee 1.1.0 with multi-file import and deployment, new extensibility points, accessibility improvements, and major stability fixes
  • BPMN AI Agent (EE exclusive) AI agent now supports generating and previewing embedded and Camunda Forms; improved BPMN editing tools and system prompt
  • LDAP Configurable authentication cache and improved login behavior for large directories
  • Connect HTTP/SOAP connect connectors and element templates now ship with run and run4 distributions
  • OAuth2 Authentication with assertion (JWT client authentication) now supported
  • Batch Operations (EE exclusive) Fixed due date handling and added comma-separated process instance ID input support
  • Migration (EE exclusive) Fixed broken navigation links in the migration tool

New Features

HTTP/SOAP Connect Connectors in run/run4

  • The http-client and soap-http-client modules are now included in the run and run4 distributions under configuration/userlib/
  • Element templates for both connectors are bundled inside the connector JARs and are immediately available in the Modeler

LDAP Configurable Cache

  • LDAP authentication now supports a configurable cache to reduce redundant directory lookups and improve performance under load
  • Cache parameters are configurable in the distribution YAML configuration files

OAuth2 Authentication with Assertion

  • OAuth2 identity provider now supports authentication with assertion, enabling JWT-based client authentication and token exchange flows
  • New SSO properties for assertion-based authentication are available in the distribution configuration files

Process Instance Filter in Historic Activity Statistics

  • The process instance filter in the BPMN viewer is now applied to historic activity statistics, making heat-map counts consistent with the active filter selection

BPMN AI Agent Enhancements (EE exclusive)

  • AI agent now supports generating and previewing embedded and Camunda Forms directly in the chat panel
  • Replaced replaceXmlElement with an atomic batch patchXml tool for more reliable and precise BPMN diagram editing
  • Agent no longer forces the diff/review view when it only asks a clarifying question — layout adapts to the response type
  • System prompt improvements for more accurate and efficient BPMN editing

Batch Operations (EE exclusive)

  • Comma-separated process instance IDs are now accepted in the “Id in” search filter, restoring parity with previous behavior

Modeler Enhancements (cibseven-modeler 1.1.0)

Multi-file Import & Deployment

  • Import multiple BPMN, DMN, and Form files in a single operation
  • Drag and drop support for bulk file imports with conflict handling
  • Deploy multiple files at once; deploy BPMN processes together with selected forms
  • Download diagrams directly from the start page

Extensibility

  • New plugin extension point for custom integrations
  • New chat extension point with configurable chat transport
  • Support for grouped element-template scopes
  • Graceful fallback when the Modeler is deployed without a configured database

User Interface

  • Close all tabs in one click with unsaved-changes protection
  • Middle-click tab closing (standard browser behavior)
  • Optional “Skip creation dialog” preference to streamline diagram and form creation
  • Collapsible Properties/Chat side panel
  • Improved Properties Panel resizing
  • Toast notifications with process start redirection
  • Element-template icon rendering improvements in the BPMN modeler
  • Improved element template search and better handling of template grouping
  • Refreshed modeler user interface
  • Focus management for creation dialogs — inputs are focused automatically on open
  • Default task type markers remain visible alongside applied element-template icons

Accessibility

  • Added accessible labels and modal names throughout the Modeler
  • Live region announcements for screen readers
  • Added accessible labels on icon-only EE controls: compare, chat options, and diff viewer (EE exclusive)

Modeler EE (EE exclusive)

  • Updated Modeler EE user interface
  • Diagram diff failures are now surfaced with a localized error message instead of failing silently

User Experience Improvements in Web Client

LDAP

  • LDAP user objectClass is now configurable, allowing flexible directory schemas
  • LDAP login now performs a targeted node lookup instead of a full directory search, reducing load on the directory server
  • LDAP authentication no longer fails when the display name attribute is not configured for a user

Tasklist

  • Tasks from inactive process instances are no longer shown in the task list
  • Search query length limit removed from the task search field, allowing queries longer than 50 characters

Forms

  • Improved error handling for embedded forms and deployed form routes with user-friendly error messages
  • Error messages are available in multiple languages

BPMN AI Agent Chat (EE exclusive)

  • Improved BPMN diff output in the agent response for clearer change visualization
  • Session refresh now works correctly after reconnection
  • Improved license-missing UX in the chat panel: replaced the robot avatar with an error icon and applied danger-themed styling; lint quick-action bar is now hidden when a license is required
  • Chat error banner now clears automatically when the connection recovers

Migration Tool (EE exclusive)

  • Fixed broken links to source and target process definitions in steps 4 and 5 of the migration workflow
  • Added link icons, tooltips, and a responsive layout to the migration confirmation view

Bug Fixes

Authorization

  • Fixed permission selector behaving inconsistently during authorization creation
  • Fixed authorization deletion and editing failing with a 404 error (null ID)
  • Fixed authorization responses not handled correctly after creation

Process Definitions

  • Fixed process definition versions not ordered by version descending
  • Fixed incorrect process instance counter after deleting a process definition version

Multi-Engine

  • Fixed an error occurring when no default engine is configured
  • Fixed rendered forms not being routed to the user’s engine in a multi-engine setup

Direct Provider

  • Fixed authorization checks not being applied in DirectProvider

Modeler

  • Fixed the Modeler edit-lock: /session/close now validates the lock owner before allowing a session to be closed
  • Fixed /session/check leaking the session ID to unauthorized callers
  • Hardened diagram XML parsing against XXE (XML External Entity) injection
  • Fixed checkCorrectTab crashing on the dashboard when no active tab is present
  • Fixed duplicate diagram and form ID validation — live check during creation and a save backstop
  • Fixed openDiagram returning -1 after creating a new tab
  • Fixed batch import “replace unsaved tab” returning no value
  • Fixed tab resolution and DMN import key fallback issues
  • Fixed large number of open tabs causing display issues
  • Fixed console and visualization errors when a referenced template is not available
  • Fixed gap in the footer for forms and DMN diagrams
  • Fixed Modeler accessible via direct URL even when disabled in application.yaml
  • Fixed template search crashes in the element-template chooser
  • Fixed form save detection not triggering correctly in the Modeler
  • CSS fixes in the Properties Panel
  • Fixed layout and toolbar rendering issues in the diagram editor
  • Monaco editor stability improvements and autocomplete fixes
  • Improved DMN editor stability
  • Fixed edit-lock not released reliably on tab close failure and SPA unmount (EE exclusive)
  • Fixed missing session ID not guarded, which could cause orphaned edit locks (EE exclusive)
  • Fixed Modeler EE failing to load in Firefox (EE exclusive)

BPMN AI Agent Chat (EE exclusive)

  • Fixed toolSideEffects not rendering correctly when the list contains multiple entries
  • Fixed createSessionHook storing the session ID without validating the server response
  • Fixed agent chat localStorage history: resolved storage limit overflow, introduced a unified prefix, enabled shared history across all browser tabs, and restored the last chat on open
  • Fixed old camundaHistoryLevel property not handled correctly in middleware-ee
  • Fixed validation error messages in agent chat translations; removed unreliable retry logic in useAgentChat
  • Fixed license permission check in the web client
  • Fixed unguarded DOM/registry access in BPMN filter: guard against missing graphics registry and non-rectangular shapes
  • Fixed WebSocket path for the chat panel not derived correctly from the configured services base URL (EE exclusive)

Batch Operations (EE exclusive)

  • Fixed due date drifting by UTC offset when editing batch operation due dates
  • Fixed selected due date not preserved correctly in the batch operation payload
  • Fixed time selector behaving unexpectedly when entering numbers via keyboard

Backend

  • Fixed HistoricStatistics OrQuery logic in the process instance filter
  • Fixed withoutTenantId flag not set correctly in tenant ID queries

Technical Updates

Dependency Updates

  • Update Spring Boot from 3.5.14 to 3.5.15
  • Update spring-boot-4 (run4) from 4.0.6 to 4.0.7
  • Update jackson (jackson-core, jackson-databind) from 2.21.2 to 2.21.4
  • Update wildfly from 40.0.0.Final to 40.0.1.Final
  • Update netty from 4.1.133.Final to 4.1.135.Final (WildFly distribution, via wildfly upgrade)
  • Update openssl (libcrypto3, libssl3) from 3.5.6-r0 to 3.5.7-r0 (Alpine base image)
  • Update langchain4j (langchain4j-pgvector) from 1.14.1-beta24 to 1.16.3-beta26
  • Update cibseven-modeler to 1.1.0
  • Update cibseven-modeler-ee to 1.1.0 (EE exclusive)
  • Update @cib/common-frontend to 1.0.4

Resolved CVE Vulnerabilities

High Severity

  • CVE-2026-45447 - Use-after-free in openssl (libcrypto3, libssl3) during PKCS#7 signature verification when processing a signed message with an empty digestAlgorithms SET, potentially enabling heap corruption or remote code execution. Fixed in 3.5.7-r0 (Alpine base image).
  • CVE-2026-54512 - Vulnerability in com.fasterxml.jackson.core:jackson-databind 2.21.2, fixed by upgrading to 2.21.4.
  • CVE-2026-54513 - Vulnerability in com.fasterxml.jackson.core:jackson-core 2.21.2, fixed by upgrading to 2.21.4.
  • CVE-2026-55405 - SQL injection in dev.langchain4j:langchain4j-pgvector via unescaped metadata filter keys in EmbeddingSearchRequest.filter(), enabling blind data exfiltration or row deletion when attacker-controlled filter keys reach the embedding store. Fixed in 1.16.3-beta26.
  • CVE-2026-44249 - IPv6 subnet rule bypass in io.netty:netty-handler IpSubnetFilterRule due to incorrect masking, allowing public IPs to bypass access controls. Fixed in netty 4.1.135.Final (WildFly distribution).
  • CVE-2026-45416 - Unbounded heap allocation in io.netty:netty-handler SslClientHelloHandler for oversized TLS ClientHello messages when SniHandler constructors disable the length guard and timeout. Fixed in netty 4.1.135.Final (WildFly distribution).
  • CVE-2026-45674 - DNS cache poisoning via CNAME bailiwick bypass in io.netty:netty-resolver-dns, allowing a compromised authoritative server to inject records for parent domains. Fixed in netty 4.1.135.Final (WildFly distribution).
  • CVE-2026-47691 - DNS cache poisoning via NS bailiwick bypass in io.netty:netty-resolver-dns, allowing a subdomain-authoritative server to poison the cache for parent zones. Fixed in netty 4.1.135.Final (WildFly distribution).

Medium Severity

  • CVE-2026-34182 - Insufficient validation of cipher and tag length fields in openssl CMS AuthEnvelopedData processing, allowing an on-path attacker to achieve key-equivalent functionality or bypass integrity validation. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-34183 - Unbounded memory allocation in openssl QUIC stack via malicious PATH_CHALLENGE frames, leading to Denial of Service. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-42764 - NULL pointer dereference in openssl QUIC server when receiving an initial packet with an invalid token and address validation disabled, causing Denial of Service. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-45445 - Application-supplied IV silently discarded in openssl AES-OCB via EVP_Cipher() one-shot interface, causing nonce reuse, loss of confidentiality, and universal authentication tag forgery. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-45536 - File descriptor leak in io.netty:netty-transport-native-epoll when a peer sends a SCM_RIGHTS cmsg carrying two file descriptors, bypassing the single-fd check. Fixed in netty 4.1.135.Final (WildFly distribution).
  • CVE-2026-45673 - DNS cache poisoning via predictable transaction IDs and static UDP source port in io.netty:netty-resolver-dns, reducing entropy for Kaminsky-style attacks. Fixed in netty 4.1.135.Final (WildFly distribution).
  • CVE-2026-47244 - No default SETTINGS_MAX_CONCURRENT_STREAMS enforcement in io.netty:netty-codec-http2, allowing a single connection to open an unbounded number of streams and cause Denial of Service. Fixed in netty 4.1.135.Final (WildFly distribution).

Low Severity

  • CVE-2026-34180 - Heap buffer over-read in openssl ASN.1 decoder when parsing a crafted DER-encoded structure with a primitive element exceeding 2 GB, potentially causing a crash on 64-bit Unix platforms. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-34181 - Insufficient PBMAC1 integrity validation in openssl PKCS#12 processing, giving an attacker a 1-in-256 chance of having a forged certificate and private key accepted. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-42766 - NULL pointer dereference in openssl CMS password-based decryption when the optional keyDerivationAlgorithm field is absent, causing Denial of Service. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-42767 - NULL pointer dereference in openssl CMP client when processing a crafted server response with a missing algorithm parameters field in an EncryptedValue, causing Denial of Service. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-42768 - CMS_decrypt() and PKCS7_decrypt() in openssl vulnerable to a Bleichenbacher-style adaptive chosen-ciphertext attack when the attacker can supply CMS messages and observe error codes or decryption output. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-42769 - CMP root CA key update verification rendered ineffectual in openssl due to a certificate chain building typo, potentially allowing a Registration Authority to substitute an arbitrary root CA. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-42770 - DHX (X9.42) subgroup membership check in openssl uses the peer’s q parameter instead of the local key’s, enabling small-subgroup private key recovery (Lim-Lee attack). Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-45446 - AES-SIV and AES-GCM-SIV in openssl fail to recompute the expected authentication tag when decrypting with an empty ciphertext, allowing universal message forgery via the all-zeros tag. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-7383 - Signed integer overflow in openssl ASN1_mbstring_ncopy() when computing the Unicode output buffer size for large inputs, potentially leading to heap buffer overflow. Fixed in openssl 3.5.7-r0 (Alpine base image).
  • CVE-2026-9076 - Heap out-of-bounds read in openssl CMS PWRI key unwrap when an attacker-chosen stream-mode KEK cipher bypasses the block-size guard in kek_unwrap_key(), potentially causing Denial of Service. Fixed in openssl 3.5.7-r0 (Alpine base image).

On this Page: