CIB seven 2.2.0 EE - Release Notes

Release Date: May 31, 2026

Highlights

  • AI Agent Connector — new cibseven-connect-ai-agent module enabling BPMN service tasks to invoke LLM-backed agents via LangChain4j, with pgvector RAG, EU AI Act compliance, and MCP tool integration
  • BPMN AI Agent (EE exclusive, beta) — LLM-powered agent for designing, generating, editing, reviewing, and explaining BPMN diagrams directly in the modeler EE
  • Modeler EE (EE exclusive) — diagram snapshots, version comparison, code diff for BPMN/DMN, token simulation, SVG export, concurrent access detection, and element highlighting
  • SCIM 2.0 Identity Provider (beta) — new identity-scim plugin for SCIM 2.0-based user/group federation with caching and OIDC authentication support
  • Direct Provider (beta) — new SevenDirectProvider / SevenProviderEE as alternative BpmProvider implementations running without REST
  • OpenTelemetry & JMX Metrics — built-in OpenTelemetry agent configuration and JMX metrics export in Docker images
  • Modeler — first stable cibseven-modeler 1.0.0 and cibseven-modeler-ee 1.0.0 releases with template icons in diagram and cockpit viewer, collapsible panel, and plugin extension points
  • Accessibility — comprehensive WCAG improvements across navigation, dialogs, calendar, and form components
  • Java 21 Only — Java 17 Docker images removed; all images are now Java 21 exclusively (since 2.1.4)
  • Security — multiple CVEs resolved in patch releases since 2.1.3

Breaking Changes

  • Java 17 Docker images removed. Only Java 21 images are now built and published. Deployments using the java17-* image tag must migrate to the Java 21 image.
  • KeycloakUserProvider renamed to OAuth2UserProvider in YAML configuration files. Update your default.yml / application.yml configuration accordingly (see Configuration Changes below).

Configuration Changes

  • KeycloakUserProviderOAuth2UserProvider: The user provider class name has been renamed in all CIB seven distribution YAML configs (run, run4, Tomcat, Wildfly). Update the relevant userProvider entries in your configuration file.
  • jwtSecret via system property: The JWT secret for engine-rest can now be set via the JVM system property cibseven.engine-rest.jwt-secret or the environment variable CIBSEVEN_ENGINE_REST_JWT_SECRET, without requiring a config file change. (since 2.1.6)
  • AI Agent default model override: The default LLM model for the AI Agent connector can be overridden via the system property cibseven.connect.ai.agent.default-model or the environment variable CIBSEVEN_CONNECT_AI_AGENT_DEFAULT_MODEL.
  • Cron expression type: Configure cronType (QUARTZ or SPRING53) and supportLegacyQuartzSyntax in run, Tomcat, and Wildfly configuration files to control cron expression handling.
  • Tomcat 11 support: Tomcat 11 is now officially supported as a deployment target.
  • Schema validation: Modeler schema validation is disabled by default.
  • Modeler datasource: A shared datasource resource link for the CIB seven Modeler is now included in webapp.xml for Tomcat distributions.
  • AI Agent toggle: AI_AGENT_ENABLED environment variable (default true) controls whether the AI agent connector is loaded at startup in Tomcat and WildFly Docker images; set to false to disable without removing any files. For the run distribution, the connector is active by default in dev/default mode and disabled in --production mode; re-enable with --ai, --ai-agent, or --agent flags.
  • cibseven.webclient.modeler.ai.enabled flag (EE exclusive, beta): Enables the BPMN AI Agent for designing BPMN diagrams in the modeler. Default value is false. In our distributions it is enabled for tomcat and wildfly; for the run distribution, the agent is enabled only in dev/default mode and disabled in --production mode. Note that even when enabled, you still need to provide apiKey and other properties in the configuration.
  • cibseven.webclient.modeler.chat.enabled flag (EE exclusive, beta): Turns on collobarative chat to communicate with other CIB seven users. Disabled by default

New Features

AI Agent Connector

  • AI Agent Connector is a new cibseven-connect-ai-agent module that lets BPMN service tasks invoke LLM-backed agents via the standard camunda:connector input/output parameter mapping — no custom Java code required
  • Runtime supports OpenAI, Azure OpenAI, Ollama, and any OpenAI-compatible endpoint via LangChain4j
  • Knowledge Ingestor with pgvector RAG and bundled all-MiniLM-L6-v2 embedding model
  • Built-in ProcessStarterTool — allows the LLM to start a CIB seven process by definition key, poll for completion, and return output variables
  • Chat memory with persistence and configurable options
  • MCP tool integration with provenance audit and mandatory name prefixing
  • EU AI Act compliance: chat-log persistence scoped per activity, RAG retrieval audit, AI-output marker for Art. 50(2), model parameters surfaced for Art. 15, extended record-keeping for Art. 12/14/26
  • instructionMode to combine caller instruction with bundled default prompt
  • Bundled element templates: cibseven-ai-agent.json and cibseven-knowledge-ingestor.json
  • Default LLM model overridable by operators via system property or environment variable

BPMN AI Agent (EE exclusive, beta)

  • BPMN AI Agent is a Real-time, streaming AI chat panel docked in the modeler — describe a change in natural language and the agent designs, generates, edits, reviews, and explains BPMN directly on the canvas
  • Connects to any OpenAI-compatible endpoint (OpenAI, OpenRouter, Ollama, vLLM etc); providers and models are configured under cibseven.webclient.modeler.ai.* and the agent is turned on with cibseven.webclient.modeler.ai.enabled
  • Model picker with selectable reasoning effort level, agent modes, and a per-session token-budget indicator
  • Proposed changes are shown as a diff (added / changed / removed elements) to review and Apply or Discard, with an Auto-accept toggle to apply edits automatically
  • Multi-step plans with step-by-step continue / skip / modify / reject controls
  • Inline BPMN lint quick-fixes, selected-element context, file attachments, voice input, and saved chat sessions

REST Engine

  • New endpoint to retrieve the current process engine configuration (history level, authorization, password policy)
  • Policy-validation endpoint no longer requires authentication
  • jwtSecret configurable via system property (since 2.1.6)

Historic Process Statistics

  • New REST endpoint with instance-filter support for HistoricStatistics queries
  • Added sorting support for ActivityStatistics queries

Task Variables

  • New engine option to validate that a task ID exists before assigning task variables, preventing silent data loss for non-existing tasks

External Task Client

  • OAuth2 client credentials flow for external task clients

SCIM 2.0 Identity Provider (beta)

  • New identity-scim engine plugin for SCIM 2.0-based identity federation — connect CIB seven to any SCIM-compliant user directory (e.g. Okta, Azure AD, Microsoft Entra)
  • Read-only and writable identity provider implementations for full user and group lifecycle management
  • Configurable response caching: cacheEnabled, maxCacheSize, cacheExpirationTimeoutMin options with TTL and max-size eviction; cache is automatically invalidated on write operations
  • OIDC authentication support for securing SCIM endpoint access
  • User authentication support via SCIM (disabled by default; enable with userAuthenticationEnabled)
  • Distributed with all CIB seven distributions (Tomcat, WildFly, run)
  • Beta: works for limited use cases and is under active development

Multi-Engine Support (since 2.1.4)

  • Base REST URL fallback for the “default” engine (omitting /engine/default suffix) for backward compatibility (since 2.1.4)

Direct Provider (beta)

  • New SevenDirectProvider (SevenDirectProviderEE in the EE edition) — an alternative BpmProvider implementation that accesses the process engine directly without REST, suitable for embedded deployments
  • BpmProviderEE beans for enhanced direct BPM integration in the EE context
  • Beta: works for limited use cases and is under active development

User Profile — Password Validation

  • Password policy is now validated when a user changes their password in the user profile
  • Only violated password rules are displayed; validation resets on input

Modeler Enhancements

  • First stable release of Modeler as cibseven-modeler 1.0.0 and cibseven-modeler-ee 1.0.0 npm packages
  • Element template icons displayed in the BPMN diagram and in the template chooser modal
  • Collapsible Properties/Chat side panel with toggle strip (chevron button on panel edge), similar to Camunda Desktop Modeler behavior
  • Plugin extension point for integrating third-party plugins into the modeler
  • group property inside element-template scopes is now respected, splitting scope properties into labeled sub-groups
  • Download button for diagram list items on the Start Page
  • Default task type marker (user figure, gears, etc.) stays visible alongside the applied element-template icon
  • Toast notification shown after successful deployment or process start, with a redirect option
  • Diagram and form creation modal inputs are focused on open; press Enter to confirm creation
  • Fixed unique IDs for internal/external template filter checkboxes

Modeler EE Features (EE exclusive)

  • Diagram Snapshots — capture and manage diagram version snapshots with full version history
  • Version Comparison — compare any two diagram snapshots side-by-side with visual diff highlighting
  • Code Diff — BPMN and DMN code diff view for detailed XML-level comparison between versions
  • Token Simulation — simulate process token flow interactively in the modeler editor
  • Download as SVG — export any diagram as a scalable vector graphics file
  • Concurrent Access Detection — detect and notify when multiple users are editing the same diagram simultaneously
  • Element Highlighting — visually highlight BPMN elements in the diagram for presentation or review

Docker — OpenTelemetry & JMX

  • Built-in OpenTelemetry agent configuration in Docker images
  • JMX metrics export support via OpenTelemetry
  • run4 distribution Docker image with JPDA remote debug mode support
  • AI_AGENT_ENABLED environment variable (default true) to toggle the AI agent connector at startup without modifying or deleting files; supported in Tomcat and WildFly Docker images; for run distribution, AI agent is on in dev/default mode and off in --production mode

User Experience Improvements

  • Process instance details shown in a sidebar: instance data, status icons, incident count, links to process definition, deployment, and parent instances
  • Added separate process instance search for runtime-only processes (since 2.1.6)
  • Added “Runtime-only instances” tab view for selected process definition (since 2.1.6)
  • Added incidents icon with the total incident count in process instance search views (since 2.1.6)
  • Added separate local storage keys for runtime and history search views (since 2.1.6)
  • Enabled sorting for the process instance ID column (since 2.1.6)
  • Hid unreliable variables and incident criteria in historic search for non-full history levels

Incidents

  • Show incidents from history and runtime tables based on the configured history level (since 2.1.6)
  • Improved stack trace visibility for incidents originating from the selected process and its subprocesses (since 2.1.6)
  • Fixed BPMN diagram incident badges not shown in process definition and process instance views (since 2.1.6)
  • Fixed subprocess incident badges not displayed in the main process instance view (since 2.1.6)
  • Fixed incident badges not shown on Call Activity elements in instance view with audit history level (since 2.1.6)
  • Enabled retrying subprocess incidents from the parent process (since 2.1.5)

Variables

  • Variables table: show BPMN scope name, highlight element on click, and fix direct diagram selection
  • Variables table: activityIdBadge component for improved variable filtering by activity
  • Variables table: copy variable name with a single click via CopyableActionButton
  • Variables table: added activity instance id column and fixed scope column value (since 2.1.5)
  • Fixed fetching of variables for audit history level in process instance view (since 2.1.6)

Tasks

  • Configurable display of process variables on task cards
  • Task frame can now be scrolled when a task is not yet assigned
  • Generic form: add and modify task variables directly for empty user tasks (file uploads and existing variable editing supported)

User Management

  • Case-insensitive user search using the likePatternIgnoreCase parameter

BPMN Diagram

  • Short number format option for badge numbers in the BPMN Viewer (user preference; e.g. 1.2k instead of 1200)
  • Element template icons rendered in the cockpit BPMN viewer
  • Fixed reset of activity instance and history state when navigating from main process to subprocess (since 2.1.6)
  • Enhanced navigation between process instances and process definitions, with and without tenantId (since 2.1.5)

Deployments

  • Deployments view is refreshed after deleting a deployment; selection is preserved when deletion fails

Analytics

  • Runtime batch count now reflected on the cockpit dashboard
  • Historic Batches view shows an informational message when the configured history level does not support batch history

Accessibility

  • Comprehensive WCAG improvements: aria attributes, navigation landmarks, calendar start-day alignment, modal heading levels, and screen reader support for navbar and sidebar components
  • eslint-plugin-vuejs-accessibility integrated for ongoing accessibility linting

Process Management (EE exclusive)

  • Fixed a problem deleting all versions of a process definition
  • Deferred store update in RemoveAllVersionsModal until the user dismisses the success modal, preventing premature UI state changes
  • Fixed pluralization for instance restart and modify notification messages

Bug Fixes

  • Fixed WildFly deployment crash caused by JakartaXmlBindAnnotationModule conflict in jackson 2.21.x; standardized web client logging backend to logback
  • Fixed ElementTemplateLoader race condition on fresh databases by deferring initialization to ContextRefreshedEvent
  • Fixed jackson FAIL_ON_UNKNOWN_PROPERTIES causing deserialization failures for unknown fields
  • Fixed EngineProvider not handling 401 Unauthorized response for legacy configuration fallback
  • Fixed BFormDatepicker and BCalendar starting the month on the wrong day
  • Fixed resizable column cursor and sorting arrows display
  • Fixed focus restoration when closing a modal whose trigger element is hidden
  • Fixed URL validation to use URL parser for http/https URLs, accepting localhost, IPs, and ports
  • Fixed BButton click and submit events not always being handled correctly
  • Fixed DeploymentsView filter to use nameLike for deployment name queries
  • Fixed RenderTemplate iframe: added load event listener to manage loader state correctly
  • Fixed TasksNavBar missing filter variable label display when labels are absent
  • Fixed process instance deletion for instances with state INTERNALLY_TERMINATED
  • Fixed DirectProvider form submit and engine config retrieval
  • Fixed BpmnViewerPlugin event emission (activity-idchild-activity)
  • Fixed duplicate unified-diagrams request on ModelerViewEE load (EE exclusive)
  • Fixed page reload after process execution in the execution instances modal (since 2.1.6)
  • Fixed token movement from incident activity to Start Event in Modify view (since 2.1.5)

Technical Updates

Dependency Updates

  • Update Spring Boot from 3.5.9 to 3.5.14
  • Update spring-boot-4 to 4.0.6 (new Spring Boot 4 distribution)
  • Update log4j from 2.25.3 to 2.25.4
  • Update jackson from 2.19.4 to 2.21.2
  • Update jackson core from 2.19.4 to 2.21.2
  • Update tomcat to 11.0.22
  • Update tomcat10 from 10.1.49 to 10.1.55 (Spring Boot 3.x embedded)
  • Update tomcat9 from 9.0.110 to 9.0.118
  • Update wildfly from 37.0.1.Final to 40.0.0.Final
  • Update wildfly.core from 29.0.1.Final to 32.0.0.Final
  • Update groovy script engine from 4.0.27 to 5.0.4
  • Update nodejs from 20.14.0 to 24.13.1
  • Update npm from 10.7.0 to 11.8.0
  • Update openssl (libcrypto3, libssl3) from 3.5.5-r0 to 3.5.6-r0 (Alpine base image)
  • Update musl from 1.2.5-r21 to 1.2.5-r23 (Alpine base image)
  • Update zlib to 1.3.1-r2 (Alpine base image)
  • Update libtasn1 to 4.21.0-r0 (Alpine base image)
  • Update c-ares (Alpine base image update to 3.23)
  • Update OpenTelemetry Java agent from 2.23.0 to 2.26.1 to resolve CVE-2026-33701 (Alpine base image)
  • Update @cib/bootstrap-components from 1.0.1 to 1.0.3
  • Update @cib/common-frontend from 1.0.1 to 1.0.3
  • Update @cib/bootstrap-theme to 1.0.0 (new package extracted from webclient)
  • Update cibseven-modeler to 1.0.0 (first stable release)
  • Update cibseven-modeler-ee to 1.0.0 (first stable EE release)
  • Update vue from 3.5.16 to 3.5.33
  • Update vue-i18n to 11.4.0
  • Update vue-router from 4.5.1 to 5.0.6
  • Update axios to 1.13.2
  • Update qs from 6.14.0 to 6.14.1
  • Update rollup to 4.60.2
  • Update vite to 6.4.2
  • Update eslint to 9.39.4

Resolved CVE Vulnerabilities

Critical Severity

  • CVE-2025-15467 - CVSS 9.8. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2025-12543 - CVSS 9.6. Package: io.undertow:undertow-core. (since 2.1.4)
  • CVE-2025-66614 - CVSS 9.1. Improper Input Validation in Apache Tomcat. (since 2.1.5)
  • CVE-2026-31789 - Heap buffer overflow when converting an excessively large OCTET STRING value to hexadecimal on 32-bit platforms in openssl, leading to potential attacker-controlled code execution. (since 2.1.6)
  • CVE-2026-29145 - CLIENT_CERT authentication does not fail as expected when soft fail is disabled in Apache Tomcat and Apache Tomcat Native, allowing authentication bypass. (since 2.1.6)
  • CVE-2026-33701 - CVSS 9.3. Unsafe deserialization in the OpenTelemetry Java agent’s RMI instrumentation, with potential RCE. Affects all versions < 2.26.1. Resolved by updating the OpenTelemetry Java agent to 2.26.1 in the Docker image (loaded via CATALINA_OPTS / PREPEND_JAVA_OPTS / JAVA_OPTS).

High Severity

  • CVE-2024-3884 - CVSS 7.5. Package: io.undertow:undertow-core. (since 2.1.4)
  • CVE-2024-4027 - CVSS 7.5. Package: io.undertow:undertow-core. (since 2.1.4)
  • CVE-2025-9784 - CVSS 7.5. Package: io.undertow:undertow-core. (since 2.1.4)
  • CVE-2025-23368 - CVSS 8.1. Package: org.wildfly.core:wildfly-elytron-integration. (since 2.1.4)
  • CVE-2025-69419 - CVSS 7.4. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2025-69421 - CVSS 6.5. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2026-21932 - CVSS 7.4. Package: openjdk21-jre-headless. (since 2.1.4)
  • CVE-2026-21945 - CVSS 7.5. Package: openjdk21-jre-headless. (since 2.1.4)
  • CVE-2026-24734 - CVSS 7.5. Improper Input Validation in Apache Tomcat Native and Apache Tomcat. (since 2.1.5)
  • CVE-2026-29062 - CVSS 8.7. Nesting depth constraint bypass in com.fasterxml.jackson.core:jackson-core can trigger StackOverflowError and Denial of Service. (since 2.1.5)
  • CVE-2026-28387 - Use-after-free and/or double-free in openssl during DANE TLSA-based server authentication, leading to potential code execution. (since 2.1.6)
  • CVE-2026-28388 - NULL pointer dereference in openssl during delta CRL processing when the CRL Number extension is missing, leading to Denial of Service. (since 2.1.6)
  • CVE-2026-28389 - NULL pointer dereference in openssl when processing a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo, leading to Denial of Service. (since 2.1.6)
  • CVE-2026-28390 - NULL pointer dereference in openssl when processing a crafted CMS EnvelopedData message with KeyTransportRecipientInfo, leading to Denial of Service. (since 2.1.6)
  • CVE-2026-29129 - Configured cipher preference order not preserved in Apache Tomcat. (since 2.1.6)
  • CVE-2026-34483 - Improper encoding/escaping of output in the JsonAccessLogValve component of Apache Tomcat. (since 2.1.6)
  • CVE-2026-34487 - Kubernetes bearer token exposed in log files via the cloud membership clustering component of Apache Tomcat. (since 2.1.6)
  • CVE-2026-40200 - Stack-based memory corruption in musl libc during qsort of very large arrays. (since 2.1.6)
  • CVE-2025-55182 - CVSS 10.0. Critical React vulnerability. Note: react is used only for documentation page generation and is not present in the production CIB seven platform.

Medium Severity

  • CVE-2025-58057 - CVSS 7.5. Package: io.netty:netty-codec. (since 2.1.4)
  • CVE-2025-67735 - CVSS 6.5. Package: io.netty:netty-codec-http. (since 2.1.4)
  • CVE-2026-1002 - Package: io.vertx:vertx-core. (since 2.1.4)
  • CVE-2025-11187 - CVSS 6.1. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2025-15468 - CVSS 5.9. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2025-15469 - CVSS 5.5. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2025-66199 - CVSS 5.9. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2025-68160 - CVSS 4.7. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2025-69418 - CVSS 4.0. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2025-69420 - CVSS 5.9. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2026-22795 - CVSS 5.5. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2026-22796 - CVSS 5.9. Affects libcrypto3, libssl3. (since 2.1.4)
  • CVE-2026-21925 - CVSS 4.8. Package: openjdk21-jre-headless. (since 2.1.4)
  • CVE-2026-21933 - CVSS 6.1. Package: openjdk21-jre-headless. (since 2.1.4)
  • GHSA-72hv-8253-57qq - CVSS 6.9. Async parser number length constraint bypass in com.fasterxml.jackson.core:jackson-core can cause excessive memory allocation and CPU exhaustion, leading to Denial of Service. (since 2.1.5)
  • CVE-2026-22184 - CVSS-B 4.6. Global buffer overflow in zlib. Fixed by updating to 1.3.1-r2 (Alpine base image). (since 2.1.5)
  • CVE-2026-31790 - Uninitialized memory buffer may be disclosed to a malicious peer when using RSASVE key encapsulation in openssl. (since 2.1.6)
  • CVE-2026-34480 - XmlLayout in log4j-core fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output. (since 2.1.6)
  • CVE-2026-25854 - Open Redirect vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. (since 2.1.6)
  • CVE-2026-32990 - Improper Input Validation in Apache Tomcat (incomplete fix for CVE-2025-66614). (since 2.1.6)
  • CVE-2026-34500 - CLIENT_CERT authentication does not fail as expected when soft fail is disabled and FFM is used in Apache Tomcat. (since 2.1.6)
  • CVE-2025-11226 - CVSS 6.4. Package: ch.qos.logback:logback-core.
  • CVE-2024-58251 - Affects busybox, busybox-binsh, ssl_client (Alpine base image).

Low Severity

  • CVE-2026-1225 - Package: ch.qos.logback:logback-core. (since 2.1.4)
  • CVE-2025-58056 - CVSS 7.5. Package: io.netty:netty-codec-http. (since 2.1.4)
  • CVE-2026-24733 - CVSS 3.7. Improper Input Validation in Apache Tomcat. (since 2.1.5)
  • CVE-2026-2673 - OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when the server configuration uses the DEFAULT keyword. (since 2.1.6)
  • CVE-2025-61795 - CVSS 5.3. Package: org.apache.tomcat.embed:tomcat-embed-core.
  • CVE-2025-46394 - CVSS 3.3. Affects busybox, busybox-binsh, ssl_client (Alpine base image).

Build & Configuration

  • Single branch now produces both Spring Boot 3.5 and Spring Boot 4.0 WARs; the parallel spring-boot-4 branch has been retired
  • Java 17 Docker images removed; only Java 21 images are built
  • run4 distribution (Spring Boot 4-based) added to Docker image matrix alongside run, tomcat, and wildfly
  • Connector element-templates (cibseven-ai-agent.json, cibseven-knowledge-ingestor.json) resolved at runtime from the connector JAR classpath; the element-templates/ bind-mount in docker-compose.yml moved to configuration/element-templates/ (outside the engine auto-deploy scan)
  • cib-bootstrap-theme extracted as a standalone npm package — single source of truth for CIB brand SCSS
  • WildFly Spring Boot 4 webclient (wildfly 40) support added
  • MariaDB SQL scripts updated for migration from CIB seven 2.1.3 (Camunda 7.23) (since 2.1.5)
  • org.cibseven.connect:cibseven-connect-core excluded from the shaded artifact (since 2.1.5)

On this Page: