Fix Readme
Abstract
This document lists APAR fixes included in IBM Business Automation Workflow on containers 26.0.0.0
Content
| Fix list for: | IBM Business Automation Workflow on containers |
|---|---|
| Product Release: | 26.0.0.0 |
| Publication Date: | 26 June 2026 |
Contents
To benefit from all the fixes listed in this document, install or update to IBM Business Automation Workflow on Containers 26.0.0.0. For more information, refer to the IBM Cloud Pak for Automation download documents.
The following table lists APARs specific to Business Automation Workflow on Containers. Depending on what components and capabilities you installed and configured, more fix information can apply to you. See the "List of Fixes" in Fix list for Cloud Pak for Business Automation 26.0.0.
Fixes that involve correcting security exposures are indicated with an 'X'.
| APAR/Known Issue | Security | Behavior Change | Title |
|---|---|---|---|
| DT456161 | X | CVE-2025-27789 reported for runtime-7.25.7.tgz in web Process Designer | |
| DT457061 | X | Security vulnerability (CVE-2025-13095) in Server side Request Forgery affects IBM Workflow Center, Workflow Server and Business Automation Studio | |
| DT457837 | X | Update lz4-java-1.8.0.jar to address CVE-2025-12183 | |
| DT458127 | X | CVE findings in a library called lz4-java-1.8.0.jar for Case Emitters | |
| DT458920 | X | Multiple vulnerabilities in urllib3-2.5.0-py3-none-any.whl | |
| DT459220 | X | CVE-2025-68429 in addon-actions-8.6.14.tgz | |
| DT459452 | X | CVE-2025-68664 - LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs | |
| DT459901 | X | CVE-2026-22029 in router-1.23.0.tgz packaged with IBM Business Automation Workflow | |
| DT460278 | X | CVE-2024-29371 for jose4j found in CaseManager application | |
| DT460285 | X | The rhino library packaged in the navigator files is vulnerable. - IBM Business Automation for Workflow | |
| DT460287 | X | The Rhino jars packaged in Case Event emitter are vulnerable | |
| DT460289 | X | The lz4-java library packaged in the Case History Emitter is vulnerable | |
| DT460338 | X | Security vulnerability CVE-2025-68161 in log4j library affects IBM Process Federation Server | |
| DT460923 | X | CVE-2025-13465 in lodash versions 4.0.0 packaged with Process Admin Console | |
| DT460925 | X | Updating undici to address CVE-2026-22036 | |
| DT462331 | X | Security vulnerability CVE-2025-68161 affects log4j-core | |
| DT465142 | X | Update langgraph-1.0.9-py3-none-any.whl to address CVE-2026-28277 | |
| DT465319 | X | Update immutable to address CVE-2026-29063 PAC | |
| DT465421 | X | Update storybook-8.6.15.tgz to address CVE-2026-27148 | |
| DT465428 | X | Update jetty-http-9.4.57.v20241219.jar to address CVE-2025-11143 | |
| DT465690 | X | GHSA-72hv-8253-57qq - jackson-core - IBM Business Automation Worfklow Business Automtion Insights Flink jobs | |
| DT465692 | X | GHSA-72hv-8253-57qq - jackson-core - Process Federation Server | |
| DT465693 | X | GHSA-72hv-8253-57qq - jackson-core - bpm/Lombardi/lib | |
| DT465826 | X | Multiple vulnerabilities in Postgres on BAW Trial image | |
| DT465923 | X | Security: Update pillow to address CVE-2026-25990 | |
| DT465928 | X | Security: Update golang in workflow operators to address multiple CVEs | |
| DT466017 | X | Security: Update google.golang.org/grpc in operators to address CVE-2026-33186 | |
| DT466609 | X | GHSA-72hv-8253-57qq - jackson-core - Business Automation Worfklow | |
| DT467065 | X | GHSA-72hv-8253-57qq - jackson-core -CaseHistory Emitter- IBM Business Automation Workflow | |
| DT467070 | X | GHSA-72hv-8253-57qq - jackson-core -Case Event Emitter- IBM Business Automation Workflow | |
| DT467311 | X | Update picomatch-2.3.1.tgz to address CVE-2026-33671, CVE-2026-33672 in Process Admin Console | |
| DT467413 | X | Security vulnerabilities (CVE-2026-33671 & CVE-2026-33672) affect picomatch v2.3.1 and (CVE-2026-29063) immutable.js v4.3.7 | |
| DT467457 | X | Update lodash-4.17.23.tgz to address CVE-2026-2950, CVE-2026-4800 - Process Admin Console | |
| DT467487 | X | Security: update rsync to address CVE-2025-10158 workflow-ps-trial | |
| DT467494 | X | Update requests-2.32. to address CVE-2026-25645 - BAW ML | |
| DT467830 | X | Update axios-1.13.5.tgz to address CVE-2025-62718, CVE-2026-40175 - Process Admin Console | |
| DT467835 | X | Update cryptography-46.0.6-cp311-abi3-manylinux_2_34_x86_64.whl to address CVE-2026-39892 | |
| DT467837 | X | Update langchain_core-1.2.2 to address CVE-2026-40087 | |
| DT467841 | X | Update kafka-clients-3.9.1.jar to address CVE-2026-35554 | |
| DT468116 | X | Security: Update golang to 1.26.2 to address multiple CVEs | |
| DT454906 | When managing EPVs in the Process Admin Console, a full refresh of the browser is required for changes to take effect when updating variables | ||
| DT454930 | team_bindings Swagger/Ops REST API call is case sensitive | ||
| DT456031 | NullPointerException thrown on BPMUpdateSystemApp command while upgrading to Business Automation Workflow 24.0.1.0 | ||
| DT456078 | Workplace errors occur with saved searches when using Oracle | ||
| DT456678 | In Cloud Pak For Business Automation 23.0.2, there is an invalid target environment found on Workplace toolkit | ||
| DT456747 | The Business Automation Workflow Admin Desktop fails to load the list of Object stores when there are large number of target object stores | ||
| DT457050 | Process Inspector fails when loading process instances that contain very large String variable data | ||
| DT457086 | Calling a service from an undercover agent (UCA) behaves differently from calling a service directly | ||
| DT457280 | In-basket task counter is not displayed correctly after upgrading from 22.0.2 to 24.0.0.0 | ||
| DT457499 | Slow performance or failure to get the latest task data when running a process | ||
| DT457658 | In a Microsoft SQL Server database environment, a BadSqlGrammarException error causes Event Manager job failure instead of a process instance failure | ||
| DT457731 | Cannot use new provided models from watsonx.ai runtime that do not include max_output_tokens | ||
| DT457784 | Process Portal navigation fails to access saved searches when system is federated - IBM Business Automation Workflow | ||
| DT457911 | Slow performance when filtering process instances by 'Person' in Process Inspector | ||
| DT457951 | Process instance migration fails due to unactivated TWObject | ||
| DT458129 | Cannot change the 'Instance Status' for the 'Process Instance Alerts' in Process Admin Console in Japanese locale | ||
| DT458398 | Process Portal slow to load after login due to repeated LSW_BRANCH queries in /rest/bpm/wle/v1/exposed API | ||
| DT458592 | DOC: Transactional Service Flow feature only available in cloud environments | ||
| DT458657 | Saved Searches in Workplace are not executed correctly | ||
| DT458750 | CaseManager API returns the SQL query when invalid parameters are passed | ||
| DT458781 | Some work items that were visible in the in-basket prior to the upgrade are no longer visible after upgrading to Business Automation Workflow V25.0.0 | ||
| DT459023 | Username wraps onto next line in the comments dialog | ||
| DT459336 | UI Button Missing in Content Navigator on Initial Page Load | ||
| DT459364 | In Process Admin Console, the 'Task Data' section in generated Performance->Dashboard report shows incorrect values | ||
| DT459460 | Preventing Script Injection in Rest Parameters | ||
| DT459524 | NullPointerException occurs when a time schedule does not set effective days | ||
| DT459778 | Group members from Azure AD are unable to be returned by Workflow | ||
| DT459989 | Null pointer exceptions seen during snapshot deployment | ||
| DT460078 | NullPointerException occurs during Workplace logout | ||
| DT460222 | REST API /std/bpm/uca/event_manager_tasks/DELETE fails with CWTBG0019E error and Microsoft SQL syntax errors | ||
| DT460313 | Trying to start the docker image on windows for the second time fails because of certificate permissions errors | ||
| DT460318 | Unable to select values containing '&' character in Single select view when Typeahead behavior is enabled | ||
| DT460832 | A NullPointerException occurs in a process that contains a user task having a null input variable expression | ||
| DT461026 | cometd reveals data to unauthorized users | ||
| DT461413 | Workplace Assistant generates inaccurate responses and unuseful summary | ||
| DT461680 | Case Lock is not happening when two users opening the same workitem in the Inbasket at the same time | ||
| DT461716 | Business Automation Workflow (BAW) server is shut down when a large number of Business Automation Insights (BAI) messages buildup due to RecordTooLargeException | ||
| DT461762 | Workplace Assistant generates inaccurate responses and unuseful summary for case instances | ||
| DT461763 | When Federated Data Repository indexing is enabled, excessive updates occur on the FED_PARTITIONING_AGENT table | ||
| DT461822 | In the Process Performance dashboard the batch modify dialog is empty and shows an error | ||
| DT461837 | 'Maximum call stack size exceeded' error reported when the Table view from UI Toolkit contains thousands of views | ||
| DT462169 | Intermittent ArrayIndexOutOfBoundsException thrown when running GET /bpm/user-tasks call | ||
| DT462309 | TypeError seen in browser's console when data change occurs in coach containing an uninitialized Radio button group view from the UI Toolkit | ||
| DT462586 | Exposed Automation Service (REST) omits null value properties from response payload after upgrade to V24.x | ||
| DT462714 | Table data is not displayed in coach when Table view is nested in Panel view and Grid within a view | ||
| DT462775 | An exception is logged when opening a Process in the Process Designer | ||
| DT462978 | Unable to open task in IBM Workplace via Load Balancer after Upgrading to 25.0.0 | ||
| DT463421 | Names are getting truncated in the UI if multiple users returned when reassigning a case to another user. | ||
| DT463715 | Federated Data Repository partitioning must be more resilient | ||
| DT463826 | Performance problem when using the BPMTasksCleanup command to delete a large number of tasks | ||
| DT463838 | Process Admin Console navigation menu not rendered correctly | ||
| DT463840 | DELETE Install Packages API Returns Success but Does Not Remove Entries from Database tables | ||
| DT463889 | Creating a subfolder using a custom type folder class in Microsoft Sharepoint fails with CWTBI0009E | ||
| DT463944 | Null values are not handled correctly when using JavaScript expressions for data mapping inputs within client-side human service | ||
| DT464196 | User task containing a content object fails when saving with the error 'TWObject defined by the case content object ... is not a valid content object' | ||
| DT464406 | Task Title Link Disappears After Claiming a Task When ''Owner'' Column Is Displayed in Workplace | ||
| DT464455 | 'Asset cannot be retrieved' error observed in logs when opening Process Portal in Firefox | ||
| DT464552 | Exception during the Business Automation Workflow on containers installation. | ||
| DT464603 | Workflow tab goes blank and filters doesn't work after some filter condition changes | ||
| DT464744 | Business Automation Workflow audit log generates logs which have an incorrect JSON format | ||
| DT464906 | Opening and closing work items from a user in-basket is slow due to retrieving repeated number of requests for retrieving choice lists | ||
| DT464992 | CWTDS0037E: The credentials for the authentication alias 'EmbeddedECMTechnicalUser' are invalid | ||
| DT465131 | Placeholder text for Single select view not displayed when typeahead behavior is enabled | ||
| DT465259 | Upgrading the Process Federation Server to 25.0.0 using documented steps results in continuous crashloopbackoff on the Process Federation Server Pod | ||
| DT465266 | DOC: Clarify supported Kubernetes platform for Business Automation Workflow on containers installations v25 and later. | ||
| DT465349 | Issue where the empty list message disappears after sorting in the ECM File List | ||
| DT465538 | Misleading CWTBG0029E error shown when updating an XMLElement variable in a service | ||
| DT465541 | Properties are not displayed in the alphabetical order within system-generated views in the Add Activity page, when a discretionary activity is launched | ||
| DT465603 | Can not remove non-existent users from Team Bindings with Swagger REST team_bindings DELETE operation | ||
| DT465705 | JavaScript API defaultSnapshot Does Not Return Tip in Workflow Center | ||
| DT466199 | Maintain Deployment History in Workflow Center Console After Using delete install_packages OPS API | ||
| DT466579 | Removing the commons-configuration.jar file in Library.xml file after iFix 8.6.90025000-WS-BPM-IF003 in BAW v25 | ||
| DT466758 | Clearing a date value from a Case property of datatype DateTime and saving the empty value at runtime does not reset the value to empty as expected | ||
| DT466792 | Configure case integration task fails with appplication deployment failed error when case indexing is enabled | ||
| DT466819 | Add Case Page validation errors not shown after updating to 24.0.1.0 IF006 | ||
| DT467033 | DuplicateKeyException is thrown when creating task index due to a race condition | ||
| DT467314 | DOC: Process Admin Console authorization is not documented for container environments and Cloud Pak for Business Automation | ||
| DT467771 | Unable to open the case details page with BAW and CM8 integration | ||
| DT468026 | Drag and Drop does not work for *.msg files when using Enterprise Content Management File Uploader | ||
| DT468070 | ProcessInstanceCaseSystemPropertyRepair fails on SQL Server when there are more than 1000 process instances to repair | ||
| DT468219 | The eclipse based case configuration tool is to be removed from the installed files | ||
| DT468320 | Update log4j-core-2.25.3.jar to address multiple CVEs | ||
| DT468563 | Chart colour inconsistency in Team Performance dashboard | ||
| DT468786 | Case Comments section is not working with issue content undefined. | ||
| DT469116 | Snapshot Deployment Fails Due to System Toolkit Version Mismatch Between Process Application and Dependent Toolkit | ||
| DT469396 | Client-Side Human Service Remote Debugging in Process Designer Fails with Task Not Found Error (CWTBG0048E) | ||
| DT469428 | DOC: Upate the BAW documentation for BAW 22.0 onwards to state that a user in the manager group can access workflow process work items; it is not limited to a user with tw_admin group membership. | ||
| DT469671 | DOC: Removing properties from a customer defined Business Object used by as Input for an UCA leads to backward compatibility issues and CWLLG2229E error | ||
| DT469955 | DOC: Missing documentation describing which Javascript APIs require the Lucene Index | ||
| DT470147 | Workplace full text search is not working | ||
| DT470175 | Performance Clearing House network objects keep growing in memory | ||
| DT470732 | Update langchain_core-1.2.31-py3-none-any.whl to address CVE-2026-44843 | ||
| DT470865 | Process instance migration fails in a network deployment environment with two or more cluster nodes due to ContentObjectMigrationService errors | ||
| DT471014 | DOC: Documentation for BPMConfig with -omitPasswordValidation needs to be improve to include its implications | ||
| DT471319 | NullPointerException logged at runtime due to exposedInApp element in client-side human service model | ||
| DT471364 | DOC: Incorrect guidance when Configuring single sign-on with LTPA for an external Content Platform Engine | ||
| DT471403 | During database failover, the process instance fails because the transaction is not retried when a StaleConnectionException occurs | ||
| DT471415 | DOC: Conflicting Manual and Automated Configuration Guidance for Case Event Emitter in BAW 25.x | ||
| DT471428 | BAI dashboard is not displaying data for process instances that are started before BAW event emitters are enabled | ||
| DT471449 | Viewing Process Diagram fails in WFPS with NullPointerException due to missing SYSTEM_COACHES toolkit | ||
| DT471897 | High CPU usage when enabling the Federated Data Repository process indexing |
- 26 June 2026: Initial publish.
Related Information
Fix list for Cloud Pak for Business Automation 26.0.0
Fix list for IBM Business Automation Workflow on containers 25.0.1.0
Fix list for Cloud Pak for Business Automation 25.0.1
Fix list for IBM Business Automation Workflow on containers 25.0.0.0
Fix list for Cloud Pak for Business Automation 25.0.0
Fix list for IBM Business Automation Workflow on containers 24.0.1.0
Fix list for Cloud Pak for Business Automation 24.0.1
Fix list for IBM Business Automation Workflow on containers 24.0.0.0
Fix list for Cloud Pak for Business Automation 24.0.0
Fix list for IBM Business Automation Workflow on containers 23.0.2
Fix list for Cloud Pak for Business Automation 23.0.2
Fix list for IBM Business Automation Workflow on containers 21.0.3
Fix list for Cloud Pak for Business Automation 21.0.3
Fix list for IBM Business Automation Workflow (Traditional)
IBM Business Automation Workflow lifecycle documents
IBM Business Automation Workflow and IBM Integration Designer Software Support …
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"ARM Category":[{"code":"a8m50000000Cca0AAC","label":"Upgrade and Migration"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"25.0.1"}]
Was this topic helpful?
Document Information
Modified date:
26 June 2026
UID
ibm17276622