CIB seven 2.1.3 CE+ - Release Notes

Release Notes

Release Date: January 22, 2026

Major upgrade to Wildfly 37.0.1.Final with enhanced Jakarta support and improved security.
Enhanced multi-engine support with token caching, authentication optimization, and flexible configuration.
Ability to add new file variable for process instances.
Comprehensive accessibility improvements with eslint-plugin-vuejs-accessibility integration.
Resolved multiple high-severity CVE vulnerabilities in log4j, qs, org.lz4, and netty.

Support connections to multiple engines from a single CIB seven webclient.
Implemented token caching mechanism for logged-in engines to improve performance and user experience.
Enhanced multi-engine REST configuration with support for custom jwtSecret at URL and path level.
Improved multi-engine REST with customizable text, tooltips, and correct mapping.
Fallback path to /engine-rest if not explicitly set.
Implemented pseudo-authentication filter for multi-engine environments.

Use middleware for embedded forms instead of direct calls to engine-rest from bpm-sdk.
Construct embedded form URLs based on engine configuration.
Added endpoints to retrieve rendered HTML forms.
Implemented middleware proxy for form content to resolve CORS issues.
Updated deployed form retrieval to return bytes and proper content type.

Added authGroupFilterThreshold option to optimize authentication group filtering and improve SQL query performance.
Refactored configuration prefixes from quarkus.camunda to quarkus.cibseven.

Improved consistency and accessibility for action buttons across tables.
Added deployment date display in process definition.
Improved TTL (Time To Live) handling: allow setting to unlimited, enhanced UI, and improved modal layout.
Improved mobile navigation menu and header for better usability on small screens.
Improved assignee cell interaction with copyable button and action button.
Improved sorting criteria modal dialog.
Improved tab navigation in decisions section.
Improved login form and secure input with button components for better accessibility.
Improved profile user tab handling and data structure.
Improved action buttons for forms in Tasklist on small screens.

Fixed: Http-connector module for Wildfly distribution.
Fixed: IconButton.vue duplication issue resolved.
Fixed: Header display and layout issues for small screens.
Fixed: Added null checks and error handling for zoom functionality in BpmnViewer.
Fixed: Various embedded forms issues including URL construction, API URI handling, and error logging.
Fixed: JWT secret decoding in multi-engine configuration.
Fixed: Handling of empty path strings in multi-engine REST.

CVE-2025-66566 - Fixed in org.lz4 and netty modules for Wildfly.
CVE-2025-15284 - qs’s arrayLimit bypass allowing DoS via memory exhaustion. Fixed in qs < 6.14.1 via @cypress/request dependency. Note: This package is used only for testing and is not present in the production code of the CIB seven platform deployed at customer sites.
CVE-2025-68161 - Fixed in log4j by updating to 2.25.3.
CVE-2025-13151 - Fixed Stack-based buffer overflow in libtasn1 by updating to 4.21.0-r0. The vulnerable library was included transitively via the Alpine base image.

Updated Tomcat ports to dynamic allocation with port reservation during initialization.
Removed old wildfly26 distribution and related profiles.
Updated QA files for Wildfly to use Jakarta.
Adapted embedded-engine-rest QA profile to newer Wildfly versions.
Optimized Docker image build process with updated Jib settings.
Improved npm publish scripts and added additional exports.
Exported createProvideObject method for shared functionality.
Refactored configuration prefix from quarkus.camunda to quarkus.cibseven.
Updated dependency names from camunda-engine-cdi-jakarta to cibseven-engine-cdi-jakarta.
Updated feature name from camunda-platform-engine to cibseven-engine.
Updated documentation, badges, and branding for Quarkus Extensions.
Improved code readability and maintainability with modern JavaScript patterns.