Security notices
Security noticesβ
Camunda publishes security notices after fixes are available.
Notice 29β
Publication dateβ
October 7th, 2025
Products affectedβ
- Camunda Tasklist
- Camunda Zeebe
- Camunda Operate
- Camunda Optimize
- Camunda Identity
Impactβ
The embedded Netty was affected by CVE-2025-58056, an HTTP request smuggling vulnerability in Netty. Incorrect parsing of chunked transfer encoding could allow attackers to craft malicious requests that are interpreted inconsistently by proxies and Netty.
How to determine if the installation is affectedβ
You are using:
- Tasklist 8.7.0 - 8.7.12 or 8.5.0 - 8.5.22
- Zeebe 8.7.0 - 8.7.12 or 8.5.0 - 8.5.24
- Operate 8.7.0 - 8.7.12 or 8.5.0 - 8.5.20
- Optimize 8.7.0 - 8.7.9 or 8.6.0 - 8.6.16
- Identity 8.7.0 - 8.7.6 or 8.6.0 - 8.6.19 or 8.5.0 - 8.5.21
Solutionβ
Camunda has provided the following releases which contain the fix:
- Tasklist 8.7.13, 8.5.23
- Zeebe 8.7.13, 8.5.25
- Operate 8.7.13, 8.5.21
- Optimize 8.7.10, 8.6.17
- Identity 8.7.7, 8.6.20, 8.5.22
Notice 28β
Publication dateβ
September 9, 2025
Products affectedβ
- Camunda Optimize
Impactβ
Optimize was affected by CVE-2025-5115, which allows a remote attacker to repeatedly send malformed HTTP/2 frames that exhaust a Jetty serverβs CPU and memory, causing a denial-of-service.
How to determine if the installation is affectedβ
You are using:
- Optimize 8.7.0 - 8.7.8 or 8.6.0 - 8.6.15
Solutionβ
Camunda has provided the following releases which contain the fix:
- Optimize 8.7.9, 8.6.16
Notice 27β
Publication dateβ
August 27, 2025
Products affectedβ
- Camunda Optimize
Impactβ
Optimize's email functionality was affected by CVE-2025-7962, which allowed for SMTP injection by providing forged email recipient addresses that could lead to malicious content being sent to arbitrary recipients.
How to determine if the installation is affectedβ
You are using:
- Optimize 8.7.0 - 8.7.7 or 8.6.0 - 8.6.14
Solutionβ
Camunda has provided the following releases which contain the fix:
- Optimize 8.7.8, 8.6.15
Notice 26β
Publication dateβ
August 27th, 2025
Products affectedβ
- Camunda Optimize
Impactβ
Optimize was affected by CVE-2025-53864 which allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion.
How to determine if the installation is affectedβ
You are using:
- Optimize 8.7.0 - 8.7.7 or 8.6.0 - 8.6.14
Solutionβ
Camunda has provided the following releases which contain the fix:
- Optimize 8.7.8, 8.6.15
Notice 25β
Publication dateβ
August 27th, 2025
Products affectedβ
- Camunda Tasklist
- Camunda Zeebe
- Camunda Operate
- Camunda Optimize
Impactβ
The embedded Apache Tomcat was affected by CVE-2025-48989 which made Tomcat vulnerable to the MadeYouReset attack.
How to determine if the installation is affectedβ
You are using:
- Tasklist 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24 or 8.5.0 - 8.5.20
- Zeebe 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24
- Operate 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24 or 8.5.0 - 8.5.18
- Optimize 8.7.0 - 8.7.7 or 8.6.0 - 8.6.14
Solutionβ
Camunda has provided the following releases which contain the fix:
- Tasklist 8.7.11, 8.6.25, 8.5.21
- Zeebe 8.7.11, 8.6.25
- Operate 8.7.11, 8.6.25, 8.5.19
- Optimize 8.7.8, 8.6.15
Notice 24β
Publication dateβ
August 27th, 2025
Products affectedβ
- Camunda Tasklist
- Camunda Zeebe
- Camunda Operate
- Camunda Identity
- Camunda Optimize
Impactβ
The embedded Netty was affected by CVE-2025-55163 which allows malformed HTTP/2 control frames usage that results in resource exhaustion and distributed denial of service.
How to determine if the installation is affectedβ
You are using:
- Tasklist 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24 or 8.5.0 - 8.5.20
- Zeebe 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24 or 8.5.0 - 8.5.22
- Operate 8.7.0 - 8.7.10 or 8.6.0 - 8.6.24 or 8.5.0 - 8.5.18
- Identity 8.7.0 - 8.7.5 or 8.6.0 - 8.6.18 or 8.5.0 - 8.5.19
- Optimize 8.7.0 - 8.7.7 or 8.6.0 - 8.6.14
Solutionβ
Camunda has provided the following releases which contain the fix:
- Tasklist 8.7.11, 8.6.25, 8.5.21
- Zeebe 8.7.11, 8.6.25, 8.5.23
- Operate 8.7.11, 8.6.25, 8.5.19
- Identity 8.7.6, 8.6.19, 8.5.20
- Optimize 8.7.8, 8.6.15
Notice 23β
Publication dateβ
July 31st, 2025
Products affectedβ
- Camunda Tasklist
- Camunda Zeebe
- Camunda Operate
- Camunda Identity
- Camunda Optimize
Impactβ
The embedded Spring Boot Tomcat was affected by CVE-2025-53506 which allowed for uncontrolled resource consumption that could be used to exhaust system resources in a potential DoS (denial of service) attack.
How to determine if the installation is affectedβ
You are using:
- Tasklist 8.7.0 - 8.7.8 or 8.6.0 - 8.6.22 or 8.5.0 - 8.5.18
- Zeebe 8.7.0 - 8.7.8 or 8.6.0 - 8.6.22
- Operate 8.7.0 - 8.7.8 or 8.6.0 - 8.6.22 or 8.5.0 - 8.5.16
- Identity 8.7.0 - 8.7.4 or 8.6.0 - 8.6.17 or 8.5.0 - 8.5.18
- Optimize 8.7.0 - 8.7.6 or 8.6.0 - 8.6.12
Solutionβ
Camunda has provided the following releases which contain the fix:
- Tasklist 8.7.9, 8.6.23, 8.5.19
- Zeebe 8.7.9, 8.6.23
- Operate 8.7.9, 8.6.23, 8.5.17
- Identity 8.7.5, 8.6.18, 8.5.19
- Optimize 8.7.7, 8.6.13
Notice 22β
Publication dateβ
July 31st, 2025
Products affectedβ
- Camunda Tasklist
- Camunda Zeebe
- Camunda Operate
Impactβ
Part of our RESTful API that supported multipart file uploads was affected by CVE-2025-52520, which could lead to potential DoS (denial of service) attacks.
How to determine if the installation is affectedβ
You are using:
- Tasklist 8.6.0 - 8.6.22 or 8.7.0 - 8.7.8
- Zeebe 8.6.0 - 8.6.22 or 8.7.0 - 8.7.8
- Operate 8.6.0 - 8.6.22 or 8.7.0 - 8.7.8
Solutionβ
Camunda has provided the following releases which contain the fix:
- Tasklist 8.6.22
- Tasklist 8.7.9
- Zeebe 8.6.23
- Zeebe 8.7.9
- Operate 8.6.23
- Operate 8.7.9
Notice 21β
Publication dateβ
June 18th, 2025
Products affectedβ
Camunda Web Modeler Self-Managed
Impactβ
The version of org.postgresql:postgresql
used by Camunda Web Modeler Self-Managed was affected by CVE-2025-49146 potentially allowing a man-in-the-middle attacker to intercept connections when the PostgreSQL JDBC driver was configured with channel binding set to required.
How to determine if the installation is affectedβ
You are using Camunda Web Modeler Self-Managed version 8.6.0 - 8.6.12, or 8.7.0 - 8.7.3.
Solutionβ
Camunda has provided the following releases which contain the fix:
- Camunda Web Modeler Self-Managed 8.6.12
- Camunda Web Modeler Self-Managed 8.7.3
Notice 20β
Publication dateβ
June 17th, 2025
Products affectedβ
Camunda Optimize
Impactβ
Camunda Optimize was affected by a vulnerability that allowed an attacker to gain improper access to Optimize data by using a modified JWT (JSON Web Token).
How to determine if the installation is affectedβ
You are using Camunda Optimize β€ 8.6.9 or β€ 8.7.2.
Solutionβ
Camunda has provided the following release which contains a fix:
Notice 19β
Publication dateβ
May 21st, 2025
Products affectedβ
Camunda Web Modeler
Impactβ
The version of nodejs
used by Camunda Web Modeler was affected by CVE-2025-23166 potentially allowing an adversary to remotely crash the Node.js runtime.
How to determine if the installation is affectedβ
You are using Camunda Web Modeler Self-Managed version β€ 8.4.17, β€ 8.5.18, β€ 8.6.10, or β€ 8.7.1.
Solutionβ
Camunda has provided the following releases which contain the fix:
- Camunda Web Modeler Self-Managed 8.4.18
- Camunda Web Modeler Self-Managed 8.5.19
- Camunda Web Modeler Self-Managed 8.6.11
- Camunda Web Modeler Self-Managed 8.7.2
The fix was deployed to Web Modeler SaaS on May 19, 2025, 15:10 CET.
Notice 18β
Publication dateβ
April 8th, 2025
Products affectedβ
Camunda Optimize
Impactβ
Camunda Optimize was affected by a vulnerability that allowed an attacker to modify a JWT (JSON Web Token) so that they would be given improper access to Optimize.
How to determine if the installation is affectedβ
You are using Camunda Optimize β€ 8.4.15, β€ 8.5.12, β€ 8.6.6, β€ 8.7.0, β€ 3.11.20, β€ 3.12.15, β€ 3.13.12, β€ 3.14.3, β€ 3.15.1.
Solutionβ
Camunda has provided the following release which contains a fix:
- Camunda Optimize 8.4.16
- Camunda Optimize 8.5.13
- Camunda Optimize 8.6.7
- Camunda Optimize 8.7.0
- Camunda Optimize 3.12.16
- Camunda Optimize 3.13.13
- Camunda Optimize 3.14.4
- Camunda Optimize 3.15.2
Notice 17β
Publication dateβ
April 8th, 2025
Products affectedβ
Camunda Zeebe
Impactβ
When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.
- As Zeebe makes extensive use of Protobuf, this could lead to denial-of-service (DoS) issues on the server side.
- This issue allows an attacker to send specific payloads that will always result in
StackOverflowException
. This could lead to gateway performance issues and affect system availability. - Although the gateway will not crash, it will spend more time working on these requests. An attacker could use this opportunity to slow it down and make it unusable by sending a large number of requests within a short time frame.
No data is leaked, lost, or corrupted. This issue only affects application availability.
Learn more about this CVE at the GitHub Advisory Database.
How to determine if the installation is affectedβ
You are using Camunda Zeebe 8.6.11.
Solutionβ
Camunda has provided the following release which contains a fix:
Notice 16β
Publication dateβ
May 21st, 2025
Product affectedβ
Camunda Web Modeler
Impactβ
The version of nodejs
used by Camunda Web Modeler was affected by CVE-2025-23166 potentially allowing an adversary to remotely crash the Node.js runtime.
How to determine if the installation is affectedβ
You are using Camunda Web Modeler Self-Managed version β€ 8.4.17, β€ 8.5.18, β€ 8.6.10, or β€ 8.7.1.
Solutionβ
Camunda has provided the following releases which contain the fix:
- Camunda Web Modeler Self-Managed 8.4.18
- Camunda Web Modeler Self-Managed 8.5.19
- Camunda Web Modeler Self-Managed 8.6.11
- Camunda Web Modeler Self-Managed 8.7.2
The fix was deployed to Web Modeler SaaS on May 19, 2025, 15:10 CET.
Notice 15β
Publication dateβ
April 8th, 2025
Product affectedβ
Camunda Optimize
Impactβ
Some Camunda Zeebe versions were affected by a vulnerability that allowed a malicious attacker to craft network packets that could crash the gateway.
How to determine if the installation is affectedβ
You are using Camunda Optimize β€ 8.4.15, β€ 8.5.12, β€ 8.6.6, β€ 8.7.0, β€ 3.11.20, β€ 3.12.15, β€ 3.13.12, β€ 3.14.3, β€ 3.15.0
Solutionβ
Camunda has provided the following release which contains a fix:
- Camunda Optimize 8.4.16
- Camunda Optimize 8.5.13
- Camunda Optimize 8.6.7
- Camunda Optimize 8.7.0
- Camunda Optimize 3.12.16
- Camunda Optimize 3.13.13
- Camunda Optimize 3.14.21
- Camunda Optimize 3.15.1
Notice 14β
Publication dateβ
March 11th, 2025
Product affectedβ
Camunda Web Modeler
Impactβ
The version of koa
used by Camunda Web Modeler was affected by the following vulnerability:
How to determine if the installation is affectedβ
You are using Camunda Web Modeler Self-Managed version β€ 8.3.16, β€ 8.4.14, β€ 8.5.15, or β€ 8.6.7.
Solutionβ
Camunda has provided the following releases which contain the fix:
- Camunda Web Modeler Self-Managed 8.3.17
- Camunda Web Modeler Self-Managed 8.4.15
- Camunda Web Modeler Self-Managed 8.5.16
- Camunda Web Modeler Self-Managed 8.6.8
The fix was deployed to Web Modeler SaaS on February 14, 2025, 08:50 CET.
Notice 13β
Publication dateβ
July 18th, 2024
Product affectedβ
Camunda Identity
Impactβ
The version of Apache Tomcat
used by Camunda Identity was affected by the following vulnerability:
How to determine if the installation is affectedβ
You are using Camunda Identity version 8.5.3 or previous.
Solutionβ
Camunda has provided the following release which contains a fix:
Notice 12β
Publication dateβ
October 3rd, 2023
Product affectedβ
Camunda Desktop Modeler
Impactβ
The version of libwebp
shipped with Camunda Desktop Modeler was affected by the following vulnerability:
How to determine if the installation is affectedβ
You are using Camunda Desktop Modeler version 5.15.1 or previous.
Solutionβ
Camunda has provided the following release which contains a fix:
Notice 11β
Publication dateβ
April 17, 2023
Product affectedβ
Tasklist
Impactβ
The REST API functionality of Tasklist 8.2.0 and 8.2.1 allows unauthenticated access to the following methods/URLs:
- GET /v1/tasks/{taskId}
- POST /v1/tasks/search
- POST /v1/tasks/{taskId}/variables/search
- POST /v1/forms/{formId}
- POST /v1/variables/{variableId}
Find more information about the methods in our Tasklist REST API documentation.
Therefore, if you use Tasklist 8.2.0 or 8.2.1, and if you have sensible data stored in process variables (accessed by user tasks), this data could have been accessed by users knowing the endpoint of the Tasklist instance without authentication.
How to determine if the installation is affectedβ
You are using Tasklist version 8.2.0 or 8.2.1.
Solutionβ
Camunda has provided the following releases which contain a fix
Notice 10β
Publication Date:β
November 10th, 2022
Product affected:β
Tasklist
Impact:β
The Tasklist Docker image contain an OpenSSL version 3.0.2 for which the following CVEs have been published:
At this point, Camunda is not aware of any specific attack vector in Tasklist allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.
How to determine if the installation is affectedβ
You are Tasklist version (8.0.3 β₯ version β€ 8.0.7) or β€ 8.1.2
Solutionβ
Camunda has provided the following releases which contain a fix
Notice 9β
Publication Date:β
April 11th, 2022
Product affected:β
Zeebe, Operate, Tasklist, IAM
Impact:β
Zeebe, Operate, Tasklist and IAM are using the Spring framework for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2022-22965
At this point, Camunda is not aware of any specific attack vector in Zeebe, Operate, Tasklist or IAM allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.
How to determine if the installation is affectedβ
You are using Zeebe, Operate or Tasklist version β€ 1.2.11 or β€ 1.3.6
Solutionβ
Camunda has provided the following releases which contain a fix
Notice 8β
Publication Date:β
December 31th, 2021
Product affected:β
Zeebe, Operate, Tasklist
Impact:β
Zeebe, Operate and Tasklist bundle log4j-core for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-44832. At this point, Camunda is not aware of any specific attack vector in Zeebe, Operate or Tasklist allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.
How to determine if the installation is affectedβ
You are using Zeebe, Operate or Tasklist version β€ 1.2.8 or β€ 1.1.9
Solutionβ
Camunda has provided the following releases which contain a fix
Notice 7β
Publication Date:β
December 31th, 2021
Product affected:β
IAM
Impact:β
IAM bundles log4j libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-44832. Specifically, IAM bundles log4j-api and log4j-to-slf4j. However, IAM does not bundle the log4j-core library which contains the vulnerability referred to by the CVE. As a result, Camunda does not consider IAM to be affected by the vulnerability. Still, Camunda recommends applying fixes as mentioned in the Solution section below.
How to determine if the installation is affectedβ
You are using IAM version β€ 1.2.8
Solutionβ
Camunda has provided the following releases which contain a fix
Notice 6β
Publication Date:β
December 22th, 2021
Product affected:β
Zeebe, Operate, Tasklist
Impact:β
Zeebe, Operate and Tasklist bundle log4j-core for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-45105. At this point, Camunda is not aware of any specific attack vector in Zeebe, Operate or Tasklist allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.
How to determine if the installation is affectedβ
You are using Zeebe, Operate or Tasklist version β€ 1.2.7 or β€ 1.1.8
Solutionβ
Camunda has provided the following releases which contain a fix
Notice 5β
Publication Date:β
December 22th, 2021
Product affected:β
IAM
Impact:β
IAM bundles log4j libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-45105. Specifically, IAM bundles log4j-api and log4j-to-slf4j. However, IAM does not bundle the log4j-core library which contains the vulnerability referred to by the CVE. As a result, Camunda does not consider IAM to be affected by the vulnerability. Still, Camunda recommends applying fixes as mentioned in the Solution section below.
IAM bundles logback libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-42550. At this point, Camunda is not aware of any specific attack vector in IAM allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.
How to determine if the installation is affectedβ
You are using IAM version β€ 1.2.7
Solutionβ
Camunda has provided the following releases which contain a fix
Notice 4β
Publication Date:β
December 17th, 2021
Product affected:β
Zeebe, Operate, Tasklist
Impact:β
Zeebe, Operate and Tasklist bundle log4j-core for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-45046. At this point, Camunda is not aware of any specific attack vector in Zeebe, Operate or Tasklist allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.
How to determine if the installation is affectedβ
You are using Zeebe, Operate or Tasklist version β€ 1.2.6 or β€ 1.1.7
Solutionβ
Camunda has provided the following releases which contain a fix
Notice 3β
Publication Date:β
December 17th, 2021
Product affected:β
IAM
Impact:β
IAM bundles log4j libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-45046. Specifically, IAM bundles log4j-api and log4j-to-slf4j. However, IAM does not bundle the log4j-core library which contains the vulnerability referred to by the CVE. As a result, Camunda does not consider IAM to be affected by the vulnerability. Still, Camunda recommends applying fixes as mentioned in the Solution section below.
IAM bundles logback libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-42550. At this point, Camunda is not aware of any specific attack vector in IAM allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.
How to determine if the installation is affectedβ
You are using IAM version β€ 1.2.6
Solutionβ
Camunda has provided the following releases which contain a fix
Notice 2β
Publication Date:β
December 14th, 2021
Product affected:β
Zeebe, Operate, Tasklist
Impact:β
Zeebe, Operate and Tasklist bundle log4j-core for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-44228. At this point, Camunda is not aware of any specific attack vector in Zeebe, Operate or Tasklist allowing attackers to exploit the vulnerability but recommends applying fixes as mentioned in the Solution section below.
How to determine if the installation is affectedβ
You are using Zeebe, Operate or Tasklist version β€ 1.2.5 or β€ 1.1.6
Solutionβ
Camunda has provided the following releases which contain a fix
Apply the patches mentioned above or set the JVM option -Dlog4j2.formatMsgNoLookups=true
Notice 1β
Publication Date:β
December 14th, 2021
Product affected:β
IAM
Impact:β
IAM bundles log4j libraries for which the following CVE has been published: https://nvd.nist.gov/vuln/detail/CVE-2021-44228. Specifically, IAM bundles log4j-api and log4j-to-slf4j. However, IAM does not bundle the log4j-core library which contains the vulnerability referred to by the CVE. As a result, Camunda does not consider IAM to be affected by the vulnerability.
Still, Camunda recommends applying fixes as mentioned in the Solution section below.
How to determine if the installation is affectedβ
You are using IAM version β€ 1.2.5
Solutionβ
Camunda has provided the following releases which contain a fix
Report a vulnerabilityβ
Please report security vulnerabilities to Camunda immediately. Please follow the steps on our Camunda Security page to report a vulnerability.
Additional security informationβ
For more information about security at Camunda, including our security policy, security issue management, and more, see Camunda.com/security.