CIB seven 2.1.6 EE - Release Notes

Release Notes

Release Date: April 30, 2026

Highlights

  • JWT Secret can now be configured via system property in the REST engine
  • Process Instance Search with runtime-only mode, dedicated tab view, incidents icon, adaptive filtering, sortable columns, and separate storage per view
  • Incidents display fixes for BPMN diagram badges and stack traces with non-full history level configuration
  • Process Execution fix for page reload after execution
  • Security Multiple CVEs resolved in openssl, log4j-core, Apache Tomcat, and musl

New Features

REST Engine

  • Added support for setting jwtSecret via system property

User Experience Improvements in Web Client

  • Added separate process instance search for runtime-only processes
  • Added “Runtime-only instances” tab view for selected process definition with filtering options including variables and incident criteria
  • Added incidents icon retrieval in runtime process instance search
  • Added separate local storage keys for runtime and history search views
  • Enabled sorting for the process instance ID column in the process instances table
  • Fixed filter condition for incident keys in the search box
  • Fixed batch search to correctly pass the isRuntime flag for instance operation type
  • Updated instances search route to include history with a tooltip in the main menu

Incidents

  • Show incidents from history and runtime tables based on the configured history level
  • Improved stack trace visibility for incidents originating from the selected process and its subprocesses
  • Fixed an issue where incident badges were not shown on the BPMN diagram in the process definition view and process instance view
  • Fixed an issue where subprocess incident badges were not displayed in the main process instance view
  • Fixed an issue where incident badges were not shown on Call Activity elements in the instance view with AUDIT history level

Variables

  • Fixed fetching of variables for ‘audit’ history level in process instance view

Process Execution

  • Fixed page reload after execution in the execution instances modal

Process View

  • Fixed reset of activity instance and history state when navigating from main process to subprocess using the BPMN diagram

Technical Updates

Dependency Updates

  • Update log4j from 2.25.3 to 2.25.4
  • Update spring-boot from 3.5.12 to 3.5.14
  • Update spring-boot-4 from 4.0.4 to 4.0.5
  • Update jackson modules from 2.21.1 to 2.21.2
  • Update tomcat from 3.5.12 to 3.5.14
  • Update tomcat9 from 9.0.110 to 9.0.117
  • Update openssl (libcrypto3, libssl3) from 3.5.5-r0 to 3.5.6-r0 (Alpine base image)
  • Update musl from 1.2.5-r21 to 1.2.5-r23 (Alpine base image)

Resolved CVE Vulnerabilities

Critical Severity
  • CVE-2026-31789 - Heap buffer overflow when converting an excessively large OCTET STRING value to a hexadecimal string on 32-bit platforms in openssl, which may lead to a crash or attacker-controlled code execution.
  • CVE-2026-29145 - CLIENT_CERT authentication does not fail as expected when soft fail is disabled in Apache Tomcat and Apache Tomcat Native, allowing authentication bypass.
High Severity
  • CVE-2026-28387 - Use-after-free and/or double-free in openssl during DANE TLSA-based server authentication, which may result in data corruption, crash, or arbitrary code execution.
  • CVE-2026-28388 - NULL pointer dereference in openssl during delta CRL processing when the required CRL Number extension is missing, leading to Denial of Service.
  • CVE-2026-28389 - NULL pointer dereference in openssl when processing a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo, leading to Denial of Service.
  • CVE-2026-28390 - NULL pointer dereference in openssl when processing a crafted CMS EnvelopedData message with KeyTransportRecipientInfo, leading to Denial of Service.
  • CVE-2026-29129 - Configured cipher preference order not preserved in Apache Tomcat.
  • CVE-2026-34483 - Improper encoding or escaping of output in the JsonAccessLogValve component of Apache Tomcat.
  • CVE-2026-34487 - Kubernetes bearer token exposed in log files via the cloud membership clustering component of Apache Tomcat.
  • CVE-2026-40200 - Stack-based memory corruption in musl libc during qsort of very large arrays due to incorrectly implemented double-word primitives.
Medium Severity
  • CVE-2026-31790 - Uninitialized memory buffer may be disclosed to a malicious peer when using RSASVE key encapsulation in openssl.
  • CVE-2026-34480 - XmlLayout in log4j-core fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output.
  • CVE-2026-25854 - Open Redirect vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.
  • CVE-2026-32990 - Improper Input Validation in Apache Tomcat due to an incomplete fix of CVE-2025-66614.
  • CVE-2026-34500 - CLIENT_CERT authentication does not fail as expected when soft fail is disabled and FFM is used in Apache Tomcat.
Low Severity
  • CVE-2026-2673 - OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when the server configuration uses the DEFAULT keyword.

On this Page: