CIB seven 2.1.6 CE+ - Release Notes

Release Notes

Release Date: April 30, 2026

JWT Secret can now be configured via system property in the REST engine
Incidents display fixes for BPMN diagram badges and stack traces with non-full history level configuration
Security Multiple CVEs resolved in openssl, log4j-core, Apache Tomcat, and musl

Show incidents from history and runtime tables based on the configured history level
Added incidents icon retrieval in runtime process instance search
Improved stack trace visibility for incidents originating from the selected process and its subprocesses
Fixed an issue where incident badges were not shown on the BPMN diagram in the process definition view and process instance view
Fixed an issue where subprocess incident badges were not displayed in the main process instance view
Fixed an issue where incident badges were not shown on Call Activity elements in the instance view with AUDIT history level

Fixed reset of activity instance and history state when navigating from main process to subprocess using the BPMN diagram

CVE-2026-31789 - Heap buffer overflow when converting an excessively large OCTET STRING value to a hexadecimal string on 32-bit platforms in openssl, which may lead to a crash or attacker-controlled code execution.
CVE-2026-29145 - CLIENT_CERT authentication does not fail as expected when soft fail is disabled in Apache Tomcat and Apache Tomcat Native, allowing authentication bypass.

CVE-2026-28387 - Use-after-free and/or double-free in openssl during DANE TLSA-based server authentication, which may result in data corruption, crash, or arbitrary code execution.
CVE-2026-28388 - NULL pointer dereference in openssl during delta CRL processing when the required CRL Number extension is missing, leading to Denial of Service.
CVE-2026-28389 - NULL pointer dereference in openssl when processing a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo, leading to Denial of Service.
CVE-2026-28390 - NULL pointer dereference in openssl when processing a crafted CMS EnvelopedData message with KeyTransportRecipientInfo, leading to Denial of Service.
CVE-2026-29129 - Configured cipher preference order not preserved in Apache Tomcat.
CVE-2026-34483 - Improper encoding or escaping of output in the JsonAccessLogValve component of Apache Tomcat.
CVE-2026-34487 - Kubernetes bearer token exposed in log files via the cloud membership clustering component of Apache Tomcat.
CVE-2026-40200 - Stack-based memory corruption in musl libc during qsort of very large arrays due to incorrectly implemented double-word primitives.

CVE-2026-31790 - Uninitialized memory buffer may be disclosed to a malicious peer when using RSASVE key encapsulation in openssl.
CVE-2026-34480 - XmlLayout in log4j-core fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output.
CVE-2026-25854 - Open Redirect vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.
CVE-2026-32990 - Improper Input Validation in Apache Tomcat due to an incomplete fix of CVE-2025-66614.
CVE-2026-34500 - CLIENT_CERT authentication does not fail as expected when soft fail is disabled and FFM is used in Apache Tomcat.

CVE-2026-2673 - OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when the server configuration uses the DEFAULT keyword.