CIB seven 2.2.0 CE - Release Notes

Release Date: May 31, 2026

Highlights

  • AI Agent Connector — new cibseven-connect-ai-agent module enabling BPMN service tasks to invoke LLM-backed agents via LangChain4j, with pgvector RAG, EU AI Act compliance, and MCP tool integration
  • OpenTelemetry & JMX Metrics — built-in OpenTelemetry agent configuration and JMX metrics export in Docker images
  • SCIM 2.0 Identity Provider (beta) — new identity-scim plugin for SCIM 2.0-based user/group federation with caching and OIDC authentication support
  • Direct Provider (beta) — new SevenDirectProvider as an alternative BpmProvider implementation running without REST
  • Multi-Engine Support — connect multiple process engines from a single web client with token caching and OAuth2 support
  • Modeler — first stable cibseven-modeler 1.0.0 release with template icons in the diagram and in the cockpit viewer, collapsible panel, plugin extension points, and toast notifications
  • Accessibility — comprehensive WCAG improvements across navigation, dialogs, calendar, and form components
  • Java 21 Only — Java 17 Docker images removed; all images are now Java 21 exclusively
  • Security — multiple CVEs resolved across all patch releases since 2.1.0

Breaking Changes

  • Java 17 Docker images removed. Only Java 21 images are now built and published. Deployments using the java17-* image tag must migrate to the Java 21 image.
  • KeycloakUserProvider renamed to OAuth2UserProvider in YAML configuration files. Update your default.yml / application.yml configuration accordingly (see Configuration Changes below).

Configuration Changes

  • KeycloakUserProviderOAuth2UserProvider: The user provider class name has been renamed in all CIB seven distribution YAML configs (run, run4, Tomcat, Wildfly). Update the relevant userProvider entries in your configuration file.
  • jwtSecret via system property: The JWT secret for engine-rest can now be set via the JVM system property cibseven.engine-rest.jwt-secret or the environment variable CIBSEVEN_ENGINE_REST_JWT_SECRET, without requiring a config file change.
  • AI Agent default model override: The default LLM model for the AI Agent connector can be overridden via the system property cibseven.connect.ai.agent.default-model or the environment variable CIBSEVEN_CONNECT_AI_AGENT_DEFAULT_MODEL.
  • Cron expression type: Configure cronType (QUARTZ or SPRING53) and supportLegacyQuartzSyntax in run, Tomcat, and Wildfly configuration files to control cron expression handling. Default is QUARTZ.
  • authGroupFilterThreshold: New option in engine configuration to optimize authentication group filtering and reduce SQL query load.
  • Tomcat 11 support: Tomcat 11 is now officially supported as a deployment target.
  • Schema validation: Modeler schema validation is disabled by default.
  • Modeler datasource: A shared datasource resource link for the CIB seven Modeler is now included in webapp.xml for Tomcat distributions.
  • AI Agent toggle: AI_AGENT_ENABLED environment variable (default true) controls whether the AI agent connector is loaded at startup in Tomcat and WildFly Docker images; set to false to disable without removing any files. For the run distribution, the connector is active by default in dev/default mode and disabled in --production mode; re-enable with --ai, --ai-agent, or --agent flags.

New Features

AI Agent Connector

  • AI Agent Connector is a new cibseven-connect-ai-agent module that lets BPMN service tasks invoke LLM-backed agents via the standard camunda:connector input/output parameter mapping — no custom Java code required
  • Runtime supports OpenAI, Azure OpenAI, Ollama, and any OpenAI-compatible endpoint via LangChain4j
  • Knowledge Ingestor with pgvector RAG and bundled all-MiniLM-L6-v2 embedding model
  • Built-in ProcessStarterTool — allows the LLM to start a CIB seven process by definition key, poll for completion, and return output variables
  • Chat memory with persistence and configurable options
  • MCP tool integration with provenance audit and mandatory name prefixing
  • EU AI Act compliance: chat-log persistence scoped per activity, RAG retrieval audit, AI-output marker for Art. 50(2), model parameters surfaced for Art. 15, extended record-keeping for Art. 12/14/26
  • instructionMode to combine caller instruction with bundled default prompt
  • Bundled element templates: cibseven-ai-agent.json and cibseven-knowledge-ingestor.json
  • Default LLM model overridable by operators via system property or environment variable

REST Engine

  • New endpoint to retrieve the current process engine configuration (history level, authorization, password policy)
  • jwtSecret configurable via system property
  • Policy-validation endpoint no longer requires authentication

Historic Process Statistics

  • New REST endpoint with instance-filter support for HistoricStatistics queries
  • Added sorting support for ActivityStatistics queries

Task Variables

  • New engine option to validate that a task ID exists before assigning task variables, preventing silent data loss for non-existing tasks

External Task Client

  • OAuth2 client credentials flow for external task clients

SCIM 2.0 Identity Provider (beta)

  • New identity-scim engine plugin for SCIM 2.0-based identity federation — connect CIB seven to any SCIM-compliant user directory (e.g. Okta, Azure AD, Microsoft Entra)
  • Read-only and writable identity provider implementations for full user and group lifecycle management
  • Configurable response caching: cacheEnabled, maxCacheSize, cacheExpirationTimeoutMin options with TTL and max-size eviction; cache is automatically invalidated on write operations
  • OIDC authentication support for securing SCIM endpoint access
  • User authentication support via SCIM (disabled by default; enable with userAuthenticationEnabled)
  • Distributed with all CIB seven distributions (Tomcat, WildFly, run)
  • Beta: works for limited use cases and is under active development

Process Instance Navigation (since 2.1.1)

  • Redirect URL for accessing a process instance using only its ID
  • Support for jumping from the task view in Cockpit directly to the corresponding task in the Task List
  • tenantId support across all instance and incident views

Initial Setup (since 2.1.2)

  • Initial setup page appears when no users exist in the system
  • Backend support for creating the first admin user with full admin rights
  • Setup restricted to internal user provider only; automatic detection of missing authentication

Cron Expression Migration (since 2.1.2)

Multi-Engine Support (since 2.1.3)

  • Connect to multiple engines from a single CIB seven web client
  • Token caching mechanism for logged-in engines to improve performance
  • Enhanced REST configuration with custom jwtSecret at URL and path level
  • Fallback path to /engine-rest if no explicit engine path is set
  • Base REST URL fallback for the “default” engine (omitting /engine/default suffix) for backward compatibility (since 2.1.4)
  • Pseudo-authentication filter for multi-engine environments

Multi-Engine Support for Embedded Forms (since 2.1.3)

  • Middleware routing for embedded forms instead of direct engine-rest calls from bpm-sdk
  • Embedded form URLs constructed based on engine configuration
  • Middleware proxy for form content to resolve CORS issues

Variables — File Type (since 2.1.3)

  • Ability to add a new file variable for process instances
  • Ability to change existing variables to file type

Direct Provider (beta)

  • New SevenDirectProvider — an alternative BpmProvider implementation that accesses the process engine directly without REST, suitable for embedded deployments
  • Beta: works for limited use cases and is under active development

User Profile — Password Validation

  • Password policy is now validated when a user changes their password in the user profile
  • Only violated password rules are displayed; validation resets on input

Modeler Enhancements

  • First stable release of Modeler as cibseven-modeler 1.0.0 npm package
  • Element template icons displayed in the BPMN diagram and in the template chooser modal
  • Collapsible Properties/Chat side panel with toggle strip (chevron button on panel edge), similar to Camunda Desktop Modeler behavior
  • Plugin extension point for integrating third-party plugins into the modeler
  • Chat extension point for integrating AI/chat plugins
  • group property inside element-template scopes is now respected, splitting scope properties into labeled sub-groups
  • Download button for diagram list items on the Start Page
  • Default task type marker (user figure, gears, etc.) stays visible alongside the applied element-template icon
  • Toast notification shown after successful deployment or process start, with a redirect option
  • Diagram and form creation modal inputs are focused on open; press Enter to confirm creation
  • Fixed unique IDs for internal/external template filter checkboxes

Docker — OpenTelemetry & JMX

  • Built-in OpenTelemetry agent configuration in Docker images
  • JMX metrics export support via OpenTelemetry
  • run4 distribution Docker image with JPDA remote debug mode support
  • AI_AGENT_ENABLED environment variable (default true) to toggle the AI agent connector at startup without modifying or deleting files; supported in Tomcat and WildFly Docker images; for run distribution, AI agent is on in dev/default mode and off in --production mode

User Experience Improvements

Process Instance Search (since 2.1.6)

  • Process instance details shown in a sidebar: instance data, status icons, incident count, links to process definition, deployment, and parent instances
  • Added separate process instance search for runtime-only processes
  • Added “Runtime-only instances” tab view for selected process definition
  • Added incidents icon with the total incident count in process instance search views
  • Hid unreliable variables and incident criteria in historic search for non-full history levels

Incidents (since 2.1.6)

  • Show incidents from history and runtime tables based on the configured history level
  • Improved stack trace visibility for incidents originating from the selected process and its subprocesses
  • Fixed BPMN diagram incident badges not shown in process definition and process instance views
  • Fixed subprocess incident badges not displayed in the main process instance view
  • Fixed incident badges not shown on Call Activity elements in instance view with audit history level
  • Enabled retrying subprocess incidents from the parent process (since 2.1.5)
  • Click on “failed activity” in the incidents table to select the activity in the BPMN diagram (since 2.1.1)

Variables

  • Variables table: show BPMN scope name, highlight element on click, and fix direct diagram selection
  • Variables table: activityIdBadge component for improved variable filtering by activity
  • Variables table: copy variable name with a single click via CopyableActionButton
  • Variables table: added activity instance id column and fixed scope column value (since 2.1.5)
  • Fixed fetching of variables for audit history level in process instance view (since 2.1.6)

Tasks

  • Configurable display of process variables on task cards
  • Task frame can now be scrolled when a task is not yet assigned
  • Generic form: add and modify task variables directly for empty user tasks (file uploads and existing variable editing supported)

User Management

  • Case-insensitive user search using the likePatternIgnoreCase parameter

BPMN Diagram

  • Activity selection persists between definition, instance, and incidents views (since 2.1.1)
  • Activity badges support non-full history level configurations including audit mode (since 2.1.1)
  • Fixed reset of activity instance and history state when navigating from main process to subprocess (since 2.1.6)
  • Short number format option for badge numbers in the BPMN Viewer (user preference; e.g. 1.2k instead of 1200)
  • Element template icons rendered in the cockpit BPMN viewer

Decision Management

  • Proper input/output value display for selected decision instances (since 2.1.1)
  • Improved tab navigation in the decisions section (since 2.1.3)

Start View

  • Dynamic tile rendering with adaptive layout (since 2.1.1)
  • Enhanced navigation between process instances and process definitions, with and without tenantId (since 2.1.5)
  • Improved mobile navigation menu and header for better usability on small screens (since 2.1.3)
  • Redirect to start page with no-permission route when required permissions are missing (since 2.1.1)
  • Handle HistoryLevel none with proper process instance redirection (since 2.1.1)

Deployments

  • Deployment date displayed in process definition view (since 2.1.3)
  • Helper text added to deployments search (since 2.1.2)
  • Deployments view is refreshed after deleting a deployment; selection is preserved when deletion fails

Analytics

  • Runtime batch count now reflected on the cockpit dashboard
  • Historic Batches view shows an informational message when the configured history level does not support batch history

TTL (Time To Live)

  • Allow setting TTL to unlimited; enhanced UI and improved modal layout (since 2.1.3)

Batches (since 2.1.1)

  • Improved cell selector; prevented resize on selection changes
  • Added vertical scroll for better overflow handling
  • Improved cell view on selection in Historic and Runtime Batches tables

Forms (since 2.1.1)

  • Press Enter to submit tenant creation form

Accessibility

  • Comprehensive WCAG improvements: aria attributes, navigation landmarks, calendar start-day alignment, modal heading levels, and screen reader support for navbar and sidebar components
  • eslint-plugin-vuejs-accessibility integrated for ongoing accessibility linting

Bug Fixes

  • Fixed EngineProvider not handling 401 Unauthorized response for legacy configuration fallback
  • Fixed WildFly deployment crash caused by JakartaXmlBindAnnotationModule conflict in jackson 2.21.x; standardized web client logging backend to logback
  • Fixed ElementTemplateLoader race condition on fresh databases by deferring initialization to ContextRefreshedEvent
  • Fixed jackson FAIL_ON_UNKNOWN_PROPERTIES causing deserialization failures for unknown fields
  • Fixed Hibernate naming strategy in Modeler (PhysicalNamingStrategyStandardImpl)
  • Fixed date handling: engine no longer fails on dates filled in by other tasks
  • Fixed BpmnViewer null checks and error handling for zoom functionality (since 2.1.3)
  • Fixed IconButton duplication (since 2.1.3)
  • Fixed JWT secret decoding in multi-engine configuration (since 2.1.3)
  • Fixed various embedded forms issues including URL construction and API URI handling (since 2.1.3)
  • Fixed sub-process variable scope display (since 2.1.2)
  • Fixed ACCESS permissions for application (since 2.1.2)
  • Fixed checkCockpitRights inconsistency in REST services (since 2.1.2)
  • Fixed multiple @cib/bootstrap-components embedding issue (since 2.1.2)
  • Fixed generated task forms handling (since 2.1.1)
  • Fixed object variable saving with application/json format (since 2.1.1)
  • Fixed inability to open process instance with URL containing tenantId (since 2.1.1)
  • Fixed fileValueDataSource download for history variables (since 2.1.1)
  • Fixed BFormDatepicker and BCalendar starting the month on the wrong day
  • Fixed resizable column cursor and sorting arrows display
  • Fixed focus restoration when closing a modal whose trigger element is hidden
  • Fixed URL validation to use URL parser for http/https URLs, accepting localhost, IPs, and ports
  • Fixed BButton click and submit events not always being handled correctly

Technical Updates

Dependency Updates

  • Update Spring Boot from 3.5.6 to 3.5.14
  • Update spring-boot-4 from 4.0.4 to 4.0.6
  • Update log4j to 2.25.4
  • Update jackson from 2.15.2 to 2.21.2
  • Update jackson core from 2.15.2 to 2.21.2
  • Update tomcat to 11.0.22
  • Update tomcat10 from 10.1.48 to 10.1.55 (Spring Boot 3.x embedded)
  • Update tomcat9 from 9.0.110 to 9.0.118
  • Update wildfly from 37.0.0.Final to 40.0.0.Final
  • Update wildfly.core from 29.0.1.Final to 32.0.0.Final
  • Update groovy script engine from 4.0.27 to 5.0.4
  • Update nodejs from 20.14.0 to 24.13.1
  • Update npm from 10.7.0 to 11.8.0
  • Update openssl (libcrypto3, libssl3) from 3.5.5-r0 to 3.5.6-r0 (Alpine base image)
  • Update musl from 1.2.5-r21 to 1.2.5-r23 (Alpine base image)
  • Update zlib to 1.3.1-r2 (Alpine base image)
  • Update libtasn1 to 4.21.0-r0 (Alpine base image)
  • Update c-ares (Alpine base image update to 3.23)
  • Update OpenTelemetry Java agent from 2.23.0 to 2.26.1 to resolve CVE-2026-33701 (Alpine base image)
  • Update @cib/bootstrap-components from 1.0.1 to 1.0.3
  • Update @cib/common-frontend from 1.0.1 to 1.0.3
  • Update @cib/bootstrap-theme to 1.0.0 (new package extracted from webclient)
  • Update cibseven-modeler to 1.0.0 (first stable release)
  • Update vue from 3.5.13 to 3.5.33
  • Update vue-i18n to 11.4.0
  • Update vue-router from 4.5.1 to 5.0.6
  • Update axios to 1.13.2
  • Update qs from 6.14.0 to 6.14.1
  • Update rollup to 4.60.2
  • Update vite to 6.4.2
  • Update eslint to 9.39.4
  • Update plexus-utils to 3.6.1 (test environment)

Resolved CVE Vulnerabilities

Critical Severity

  • CVE-2025-15467 - CVSS 9.8. Affects libcrypto3, libssl3.
  • CVE-2025-12543 - CVSS 9.6. Package: io.undertow:undertow-core.
  • CVE-2025-66614 - CVSS 9.1. Improper Input Validation in Apache Tomcat.
  • CVE-2026-31789 - Heap buffer overflow when converting an excessively large OCTET STRING value to hexadecimal on 32-bit platforms in openssl, leading to potential attacker-controlled code execution.
  • CVE-2026-29145 - CLIENT_CERT authentication does not fail as expected when soft fail is disabled in Apache Tomcat and Apache Tomcat Native, allowing authentication bypass.
  • CVE-2026-33701 - CVSS 9.3. Unsafe deserialization in the OpenTelemetry Java agent’s RMI instrumentation, with potential RCE. Affects all versions < 2.26.1. Resolved by updating the OpenTelemetry Java agent to 2.26.1 in the Docker image (loaded via CATALINA_OPTS / PREPEND_JAVA_OPTS / JAVA_OPTS).

High Severity

  • CVE-2025-66566 - Fixed in org.lz4 and netty modules for Wildfly.
  • CVE-2025-15284 - qs arrayLimit bypass allowing DoS via memory exhaustion. Package: qs (via @cypress/request, used only in testing).
  • CVE-2025-68161 - Fixed in log4j by updating to 2.25.3.
  • CVE-2025-13151 - Stack-based buffer overflow in libtasn1. Fixed by updating to 4.21.0-r0 (Alpine base image).
  • CVE-2024-3884 - CVSS 7.5. Package: io.undertow:undertow-core.
  • CVE-2024-4027 - CVSS 7.5. Package: io.undertow:undertow-core.
  • CVE-2025-9784 - CVSS 7.5. Package: io.undertow:undertow-core.
  • CVE-2025-23368 - CVSS 8.1. Package: org.wildfly.core:wildfly-elytron-integration.
  • CVE-2025-69419 - CVSS 7.4. Affects libcrypto3, libssl3.
  • CVE-2025-69421 - CVSS 6.5. Affects libcrypto3, libssl3.
  • CVE-2026-21932 - CVSS 7.4. Package: openjdk21-jre-headless.
  • CVE-2026-21945 - CVSS 7.5. Package: openjdk21-jre-headless.
  • CVE-2026-24734 - CVSS 7.5. Improper Input Validation in Apache Tomcat Native and Apache Tomcat.
  • CVE-2026-29062 - CVSS 8.7. Nesting depth constraint bypass in com.fasterxml.jackson.core:jackson-core can trigger StackOverflowError and Denial of Service.
  • CVE-2026-28387 - Use-after-free and/or double-free in openssl during DANE TLSA-based server authentication, leading to potential code execution.
  • CVE-2026-28388 - NULL pointer dereference in openssl during delta CRL processing when the CRL Number extension is missing, leading to Denial of Service.
  • CVE-2026-28389 - NULL pointer dereference in openssl when processing a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo, leading to Denial of Service.
  • CVE-2026-28390 - NULL pointer dereference in openssl when processing a crafted CMS EnvelopedData message with KeyTransportRecipientInfo, leading to Denial of Service.
  • CVE-2026-29129 - Configured cipher preference order not preserved in Apache Tomcat.
  • CVE-2026-34483 - Improper encoding/escaping of output in the JsonAccessLogValve component of Apache Tomcat.
  • CVE-2026-34487 - Kubernetes bearer token exposed in log files via the cloud membership clustering component of Apache Tomcat.
  • CVE-2026-40200 - Stack-based memory corruption in musl libc during qsort of very large arrays.
  • CVE-2025-55182 - CVSS 10.0. Critical React vulnerability. Note: react is used only for documentation page generation and is not present in the production CIB seven platform.

Medium Severity

  • CVE-2025-11226 - CVSS 6.4. Package: ch.qos.logback:logback-core.
  • CVE-2024-58251 - Affects busybox, busybox-binsh, ssl_client (Alpine base image).
  • CVE-2025-58057 - CVSS 7.5. Package: io.netty:netty-codec.
  • CVE-2025-67735 - CVSS 6.5. Package: io.netty:netty-codec-http.
  • CVE-2026-1002 - Package: io.vertx:vertx-core.
  • CVE-2025-11187 - CVSS 6.1. Affects libcrypto3, libssl3.
  • CVE-2025-15468 - CVSS 5.9. Affects libcrypto3, libssl3.
  • CVE-2025-15469 - CVSS 5.5. Affects libcrypto3, libssl3.
  • CVE-2025-66199 - CVSS 5.9. Affects libcrypto3, libssl3.
  • CVE-2025-68160 - CVSS 4.7. Affects libcrypto3, libssl3.
  • CVE-2025-69418 - CVSS 4.0. Affects libcrypto3, libssl3.
  • CVE-2025-69420 - CVSS 5.9. Affects libcrypto3, libssl3.
  • CVE-2026-22795 - CVSS 5.5. Affects libcrypto3, libssl3.
  • CVE-2026-22796 - CVSS 5.9. Affects libcrypto3, libssl3.
  • CVE-2026-21925 - CVSS 4.8. Package: openjdk21-jre-headless.
  • CVE-2026-21933 - CVSS 6.1. Package: openjdk21-jre-headless.
  • GHSA-72hv-8253-57qq - CVSS 6.9. Async parser number length constraint bypass in com.fasterxml.jackson.core:jackson-core can cause excessive memory allocation and CPU exhaustion, leading to Denial of Service.
  • CVE-2026-22184 - CVSS-B 4.6. Global buffer overflow in zlib. Fixed by updating to 1.3.1-r2 (Alpine base image).
  • CVE-2026-31790 - Uninitialized memory buffer may be disclosed to a malicious peer when using RSASVE key encapsulation in openssl.
  • CVE-2026-34480 - XmlLayout in log4j-core fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output.
  • CVE-2026-25854 - Open Redirect vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.
  • CVE-2026-32990 - Improper Input Validation in Apache Tomcat (incomplete fix for CVE-2025-66614).
  • CVE-2026-34500 - CLIENT_CERT authentication does not fail as expected when soft fail is disabled and FFM is used in Apache Tomcat.

Low Severity

  • CVE-2025-61795 - CVSS 5.3. Package: org.apache.tomcat.embed:tomcat-embed-core.
  • CVE-2025-46394 - CVSS 3.3. Affects busybox, busybox-binsh, ssl_client (Alpine base image).
  • CVE-2026-1225 - Package: ch.qos.logback:logback-core.
  • CVE-2025-58056 - CVSS 7.5. Package: io.netty:netty-codec-http.
  • CVE-2026-24733 - CVSS 3.7. Improper Input Validation in Apache Tomcat.
  • CVE-2026-2673 - OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when the server configuration uses the DEFAULT keyword.

Build & Configuration

  • Single branch now produces both Spring Boot 3.5 and Spring Boot 4.0 WARs; the parallel spring-boot-4 branch has been retired
  • Tomcat 11 added as a supported deployment target
  • Java 17 Docker images removed; only Java 21 images are built
  • MariaDB SQL scripts updated for migration from CIB seven 2.1.3 (Camunda 7.23) (since 2.1.5)
  • org.cibseven.connect:cibseven-connect-core excluded from the shaded artifact (since 2.1.5)
  • H2 Modeler LOB column types aligned with Oracle (CLOB/BLOB)
  • cib-bootstrap-theme extracted as a standalone npm package — single source of truth for CIB brand SCSS
  • Removed old Wildfly 26 distribution and related profiles (since 2.1.3)
  • Updated feature name from camunda-platform-engine to cibseven-engine (since 2.1.3)

On this Page: