CIB seven 2.1.5 CE+ - Release Notes
Release Notes
Release Date: March 31, 2026
Highlights
- Updated CIB seven to resolve CVEs in third-party libraries
- Packaging change: The dependency
org.cibseven.connect:cibseven-connect-corehas been excluded from the shaded artifact. - Improved the web client user experience with better navigation, richer variable details, and retry support for subprocess incidents.
- Maria DB: update of SQL scripts for migration from CIB seven 2.1.3 (Camunda 7.23)
User Experience Improvements in Web Client
- Enhanced navigation between process instances and process definitions, with and without
tenantId - Variables table: added the ‘activity instance id’ column and fixed the value of the ‘scope’ column
- Incidents table: enabled retrying subprocess incidents from the parent process
Technical Updates
Dependency Updates
- Update
Spring Bootfrom3.5.9to3.5.12 - Update
jackson corefrom2.19.4to2.21.1 - Update
jackson.core.jackson-databindfrom2.19.4to2.21.1 - Update
groovyfrom4.0.27to4.0.30to fix “import static” issue when executing scripts
Resolved CVE Vulnerabilities
Critical Severity
- CVE-2025-66614 - CVSS 9.1, Improper Input Validation vulnerability in Apache Tomcat.
High Severity
- CVE-2026-24734 - CVSS 7.5, Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
- CVE-2026-29062 - CVSS 8.7. Nesting depth constraint bypass in
com.fasterxml.jackson.core:jackson-corecan triggerStackOverflowErrorand lead to Denial of Service.
Medium Severity
- GHSA-72hv-8253-57qq - CVSS 6.9. Async parser number length constraint bypass in
com.fasterxml.jackson.core:jackson-corecan cause excessive memory allocation and CPU exhaustion, leading to Denial of Service. - CVE-2026-22184 - CVSS-B 4.6. Fixed a global buffer overflow in
zlibby updating it to1.3.1-r2. The vulnerable library was included transitively via the Alpine base image.
Low Severity
- CVE-2026-24733 - CVSS 3.7, Improper Input Validation vulnerability in Apache Tomcat.