CIB seven 2.1.3 EE - Release Notes

Release Notes

Release Date: January 22, 2026

Highlights

  • Major upgrade to Wildfly 37.0.1.Final with enhanced Jakarta support and improved security.
  • Enhanced multi-engine support with token caching, authentication optimization, and flexible configuration.
  • Ability to add new file variable for process instances.
  • Comprehensive accessibility improvements with eslint-plugin-vuejs-accessibility integration.
  • Resolved multiple high-severity CVE vulnerabilities in log4j, qs, org.lz4, and netty.

New Features

Multi-Engine Support

  • Support connections to multiple engines from a single CIB seven webclient.
  • Implemented token caching mechanism for logged-in engines to improve performance and user experience.
  • Enhanced multi-engine REST configuration with support for custom jwtSecret at URL and path level.
  • Improved multi-engine REST with customizable text, tooltips, and correct mapping.
  • Fallback path to /engine-rest if not explicitly set.
  • Implemented pseudo-authentication filter for multi-engine environments.

Multi-Engine Support for Embedded Forms

  • Use middleware for embedded forms instead of direct calls to engine-rest from bpm-sdk.
  • Construct embedded form URLs based on engine configuration.
  • Added endpoints to retrieve rendered HTML forms.
  • Implemented middleware proxy for form content to resolve CORS issues.
  • Updated deployed form retrieval to return bytes and proper content type.

Engine Configuration

  • Added authGroupFilterThreshold option to optimize authentication group filtering and improve SQL query performance.
  • Refactored configuration prefixes from quarkus.camunda to quarkus.cibseven.

Variables

  • Ability to add new file variable for process instances.
  • Ability to change existing variables to file type.
  • Added file download handlers and endpoint for task variable data retrieval.

Batch Operations

  • Added skipSubprocesses parameter for batch stop of process instances (asynchronous).
  • Improved internationalization for batch operations.

Human Tasks

  • Added ability to toggle ’task id’ column in Human Tasks table.

User Experience Improvements

  • Improved consistency and accessibility for action buttons across tables.
  • Added deployment date display in process definition.
  • Improved TTL (Time To Live) handling: allow setting to unlimited, enhanced UI, and improved modal layout.
  • Improved mobile navigation menu and header for better usability on small screens.
  • Improved assignee cell interaction with copyable button and action button.
  • Improved sorting criteria modal dialog.
  • Improved tab navigation in decisions section.
  • Improved login form and secure input with button components for better accessibility.
  • Improved profile user tab handling and data structure.
  • Improved action buttons for forms in Tasklist on small screens.

Bug Fixes

  • Fixed: Modify/restart process instance functionality now works correctly.
  • Fixed: Service task with running incidents can now be canceled.
  • Fixed: Alignment of definition version header in ProcessInstancesBatchTable.
  • Fixed: Enhanced drawToolButtons to combine active activity IDs from historic and runtime statistics.
  • Fixed: Http-connector module for Wildfly distribution.
  • Fixed: IconButton.vue duplication issue resolved.
  • Fixed: Header display and layout issues for small screens.
  • Fixed: Added null checks and error handling for zoom functionality in BpmnViewer.
  • Fixed: Various embedded forms issues including URL construction, API URI handling, and error logging.
  • Fixed: JWT secret decoding in multi-engine configuration.
  • Fixed: Handling of empty path strings in multi-engine REST.

Technical Updates

Dependency Updates

  • Update Wildfly from 37.0.0.Final to 37.0.1.Final
  • Update Spring Boot from 3.5.7 to 3.5.9
  • Update log4j to 2.25.3
  • Update qs from 6.14.0 to 6.14.1
  • Update cibseven-components to 2.1.3
  • Update jib-maven-plugin to 3.5.1
  • Update tomcat from 10.1.48 to 10.1.49
  • Update jackson from 2.15.2 to 2.19.4

Resolved CVE Vulnerabilities

High Severity
  • CVE-2025-66566 - Fixed in org.lz4 and netty modules for Wildfly.
  • CVE-2025-15284 - qs’s arrayLimit bypass allowing DoS via memory exhaustion. Fixed in qs < 6.14.1 via @cypress/request dependency. Note: This package is used only for testing and is not present in the production code of the CIB seven platform deployed at customer sites.
  • CVE-2025-68161 - Fixed in log4j by updating to 2.25.3.
  • CVE-2025-13151 - Fixed Stack-based buffer overflow in libtasn1 by updating to 4.21.0-r0. The vulnerable library was included transitively via the Alpine base image.

Testing & Quality

  • Added and enhanced Cypress e2e tests: login/logout, add/remove variables.
  • Reduced test output during test runs and cleaned up test source code.
  • Added simple unit tests for authentication group filtering logic.
  • Added tests for latest header changes.
  • Added use cases for file variables.

Build & Configuration

  • Updated Tomcat ports to dynamic allocation with port reservation during initialization.
  • Removed old wildfly26 distribution and related profiles.
  • Updated QA files for Wildfly to use Jakarta.
  • Adapted embedded-engine-rest QA profile to newer Wildfly versions.
  • Optimized Docker image build process with updated Jib settings.
  • Improved npm publish scripts and added additional exports.
  • Exported createProvideObject method for shared functionality.
  • Refactored configuration prefix from quarkus.camunda to quarkus.cibseven.
  • Updated dependency names from camunda-engine-cdi-jakarta to cibseven-engine-cdi-jakarta.
  • Updated feature name from camunda-platform-engine to cibseven-engine.
  • Updated documentation, badges, and branding for Quarkus Extensions.
  • Improved code readability and maintainability with modern JavaScript patterns.

On this Page: