CIB seven 2.0.10 CE+ - Release Notes

Release Notes

Release Date: April 30, 2026

Highlights

  • Process Instance Search with runtime-only mode, dedicated tab view, incidents icon, and adaptive filtering based on history level
  • Jobs due date management with recalculation support and conditional action button rendering
  • Incidents display fixes for BPMN diagram badges and stack traces with non-full history level configuration
  • Called Process Instances table now shows the business key column
  • Security Multiple CVEs resolved in openssl, log4j-core, Apache Tomcat, and musl

User Experience Improvements in Web Client

  • Added separate process instance search for runtime-only processes
  • Added “Runtime-only instances” tab view for selected process definition with filtering options including variables and incident criteria
  • Added incidents icon with the total incident count in both runtime and historic process instance search views
  • Hid unreliable variables and incident criteria in historic search for appropriate history levels
  • Fixed an issue where the instances table was not displayed for a given batch operation search

Jobs

  • Added change and recalculate due date functionality directly inside the Jobs table
  • Added conditional rendering of the “Change due date” action button based on due date presence

Incidents

  • Show incidents from history and runtime tables based on the configured history level
  • Improved stack trace visibility for incidents originating from the selected process and its subprocesses
  • Fixed an issue where incident badges were not shown on the BPMN diagram in the process definition view and process instance view
  • Fixed an issue where subprocess incident badges were not displayed in the main process instance view
  • Fixed an issue where incident badges were not shown on Call Activity elements in the instance view with AUDIT history level

Variables

  • Fixed fetching of variables for ‘audit’ history level in process instance view

Called Process Instances

  • Added business key column to the called process instances table

Process View

  • Fixed reset of activity instance and history state when navigating from main process to subprocess using the BPMN diagram

Technical Updates

Dependency Updates

  • Update log4j from 2.25.3 to 2.25.4
  • Update spring-boot from 3.5.12 to 3.5.14
  • Update spring-boot-4 from 4.0.4 to 4.0.5
  • Update jackson modules from 2.21.1 to 2.21.2
  • Update tomcat from 3.5.12 to 3.5.14
  • Update tomcat9 from 9.0.110 to 9.0.117
  • Update openssl (libcrypto3, libssl3) from 3.5.5-r0 to 3.5.6-r0 (Alpine base image)
  • Update musl from 1.2.5-r21 to 1.2.5-r23 (Alpine base image)

Resolved CVE Vulnerabilities

Critical Severity
  • CVE-2026-31789 - Heap buffer overflow when converting an excessively large OCTET STRING value to a hexadecimal string on 32-bit platforms in openssl, which may lead to a crash or attacker-controlled code execution.
  • CVE-2026-29145 - CLIENT_CERT authentication does not fail as expected when soft fail is disabled in Apache Tomcat and Apache Tomcat Native, allowing authentication bypass.
High Severity
  • CVE-2026-28387 - Use-after-free and/or double-free in openssl during DANE TLSA-based server authentication, which may result in data corruption, crash, or arbitrary code execution.
  • CVE-2026-28388 - NULL pointer dereference in openssl during delta CRL processing when the required CRL Number extension is missing, leading to Denial of Service.
  • CVE-2026-28389 - NULL pointer dereference in openssl when processing a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo, leading to Denial of Service.
  • CVE-2026-28390 - NULL pointer dereference in openssl when processing a crafted CMS EnvelopedData message with KeyTransportRecipientInfo, leading to Denial of Service.
  • CVE-2026-29129 - Configured cipher preference order not preserved in Apache Tomcat.
  • CVE-2026-34483 - Improper encoding or escaping of output in the JsonAccessLogValve component of Apache Tomcat.
  • CVE-2026-34487 - Kubernetes bearer token exposed in log files via the cloud membership clustering component of Apache Tomcat.
  • CVE-2026-40200 - Stack-based memory corruption in musl libc during qsort of very large arrays due to incorrectly implemented double-word primitives.
Medium Severity
  • CVE-2026-31790 - Uninitialized memory buffer may be disclosed to a malicious peer when using RSASVE key encapsulation in openssl.
  • CVE-2026-34480 - XmlLayout in log4j-core fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output.
  • CVE-2026-25854 - Open Redirect vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.
  • CVE-2026-32990 - Improper Input Validation in Apache Tomcat due to an incomplete fix of CVE-2025-66614.
  • CVE-2026-34500 - CLIENT_CERT authentication does not fail as expected when soft fail is disabled and FFM is used in Apache Tomcat.
Low Severity
  • CVE-2026-2673 - OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when the server configuration uses the DEFAULT keyword.

On this Page: