diff --git a/content/en/docs/releasenotes/security-advisories/_index.md b/content/en/docs/releasenotes/security-advisories/_index.md index 441b04b931e..ce72f5d7592 100644 --- a/content/en/docs/releasenotes/security-advisories/_index.md +++ b/content/en/docs/releasenotes/security-advisories/_index.md @@ -20,7 +20,7 @@ Siemens publishes their common vulnerabilities and exposures (CVE) on the second | CVE ID | CVSS v3.1 Base Score | Siemens Security Advisory (SSA) Description | Notes | | --- | --- | --- | --- | -| CVE-2025-40834 | 5.7 | [Cross-Site Scripting Vulnerability in Mendix Rich Text Widget](https://cert-portal.siemens.com/productcert/html/ssa-190588.html) | See the SSA description for remediation details. | +| CVE-2026-48192 | 5.4 | [Arbitrary Code Execution Vulnerability in Mendix Studio Pro Before V11.12](https://cert-portal.siemens.com/productcert/html/ssa-779310.html) | See the SSA description for remediation details. | | CVE-2025-40758 | 8.7 | [Account Hijacking Vulnerability in Mendix SAML Module](https://cert-portal.siemens.com/productcert/html/ssa-395458.html) | See the SSA description for remediation details. | | CVE-2025-40592 | 6.1 | [Zip Path Traversal Vulnerability in Mendix Studio Pro's Module Installation Process](https://cert-portal.siemens.com/productcert/html/ssa-627195.html) | See the SSA description for remediation details. | | CVE-2025-40571 | 2.2 | [Incorrect Privilege Assignment Vulnerability in Mendix OIDC SSO Module](https://cert-portal.siemens.com/productcert/html/ssa-726617.html) | See the SSA description for remediation details. | diff --git a/content/en/docs/releasenotes/studio-pro/10/10.24.md b/content/en/docs/releasenotes/studio-pro/10/10.24.md index ceadea442ff..47ba13f4d52 100644 --- a/content/en/docs/releasenotes/studio-pro/10/10.24.md +++ b/content/en/docs/releasenotes/studio-pro/10/10.24.md @@ -81,6 +81,7 @@ Mendix Portable Runtime (previously called Portable App Distribution) packages y ### Fixes +* We fixed an arbitrary code execution vulnerability in Studio Pro. (5.4 – CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N – for more information see [Security Advisories](/releasenotes/security-advisories/#48192)) * We upgraded Netty dependencies to fix CVE-2026-42578, CVE-2026-42583, CVE-2026-42587, CVE-2026-42585, CVE-2026-42584, CVE-2026-42581, CVE-2026-42580, CVE-2026-41417, CVE-2026-42577, CVE-2026-42579. (Tickets 278202, 278290, 277691, 278290) * We fixed an issue in the **Select Elements** dialog of an XML import or export mapping where reopening the dialog with previously checked elements that contained inheritance or choice-type children caused a validation error `"Element '…' cannot be checked without a checked child element."` when clicking **OK**. This happened because those elements were not expanded, so their children were not loaded and could not be validated. Studio Pro now automatically expands such elements before clicking OK in the **Select Elements** dialog, ensuring all required child elements are properly loaded and resolved. (Ticket 268403) * We fixed an issue with the client where passing an empty string as a parameter to a microflow triggered an error. For example, when filtering options of a combo box with a microflow, clearing the search string would trigger the error. (Ticket 271819) diff --git a/content/en/docs/releasenotes/studio-pro/11/11.12.md b/content/en/docs/releasenotes/studio-pro/11/11.12.md index 8b474be43a6..6a0a384907c 100644 --- a/content/en/docs/releasenotes/studio-pro/11/11.12.md +++ b/content/en/docs/releasenotes/studio-pro/11/11.12.md @@ -29,134 +29,134 @@ The **Module ID** and **checksum** are stored in a new *manifest.json* file insi #### Other New Features -- We introduced a modernized **Variables** pane. It now preserves expanded nodes as you step through the debugger, so you no longer lose your place between steps. -- We improved offline synchronization error handling so that when the server rejects uploaded objects (for example, due to validation rules or security constraints), the synchronization action now throws a `PartialSynchronizationError` (as long as **Throw error when server rejects objects during synchronization** option is enabled). Nanoflow developers can catch this error in a try/catch block to present a message to the user or take corrective action. -- Toggling the web fetch tool in Maia preferences now takes effect immediately, without needing to relaunch Studio Pro. -- We added the ability for the user to see the current Studio Pro version through the Preferences API. -- We added a `documentAdded` event to the `IProjectChangesApi`, allowing extensions to react when a new document is added to the project. -- We added the ability to filter the comparison pane by change status (such as added, modified, deleted, or moved). Filters are persisted across sessions, and an indicator is shown when any filter differs from the default. -- We added sortable columns to the **Comparison** pane. You can now click any column header in the **Documents** or **Elements** views to sort the list, making it easier to find and group changes. -- We implemented a new function `DATEFORMAT` in OQL. For more details, see [OQL Expression Syntax](/refguide/oql-expression-syntax/#dateformat-function). -- We implemented two new functions in OQL: `RPAD` and `LPAD`. For more details, see the documentation for [LPAD](/refguide/oql-expression-syntax/#lpad-function) and [RPAD](/refguide/oql-expression-syntax/#rpad-function). -- You can now use Maia to work with theming and styling in Studio Pro. Maia can modify theme variables, create custom styling, and manage design properties—for example, updating colors, spacing, and typography across your app based on your styling requirements. -- Maia can now ask you clarifying questions before proceeding. When Maia needs more information, it will present one or more questions directly in the chat—supporting open-ended, single choice, and multiple choice answers—and use your responses to continue with the right approach. -- We released the Embedded Client in public Beta. You can now embed your Mendix app into any host application by configuring an [Embedded Navigation Profile](/refguide/navigation/#Embedded) and following the instructions in the [Embedding the Client](/refguide/mendix-client/embedding-the-client/) guide. -- We added a `permissionsChanged` event to the Extension Permissions API, allowing extensions to be notified when permission states change. -- You can now add custom instructions on either project or module level. Project-level instructions will be added to every Maia conversation, while module-level ones will be added whenever Maia works with documents of a given module. -- Maia now thinks before responding. You can see what it is considering in real time, and revisit its reasoning at any point during the conversation. -- MCP OAuth authentication now uses a dedicated callback server on a fixed port range (44380–44384), enabling use with MCP servers that require pre-registered redirect URIs. -- MCP connections now support Mendix Identity (MxId3) authentication. MCP servers hosted on *.mendix.com automatically receive the user's platform access token. -- You can now add Maia Agent Instructions. Maia Instructions are agent instructions that are automatically added to the conversation context. You can add them to the project or module level. For more information, see [Maia Agent Instructions (AGENTS.md)](/refguide/maia-instructions/). -- We introduced the following new features to skills in Maia: - - A new **Skills** pane in Maia shows all custom skills that are currently loaded, their status, and which module they belong to (for module-level skills). You can filter the list to show only skills with errors. To apply the updated skills immediately, you can sync the skills. For more information, see [Skill Overview](/refguide/maia-agent-skills/#skill-overview) section in Maia Agent Skills. - - You can now add custom skills to non-protected app modules. These skills are exported together with other contents of the module. - - Maia now shows which custom skill (or which resource within a skill) it is drawing on while working, so you can follow along as it applies your project's conventions. -- We released a feature in public beta that lets you configure a custom LLM provider. In addition to the default Mendix Platform provider, you can now configure OpenAI-compatible providers or AWS Bedrock on a per-project basis. Mendix still recommends using the Mendix Platform provider for the best experience. For more information, see [Configuring a Custom AI Provider](/refguide/maia-make/#custom-provider). -- Maia is now better at fetching and understanding content from web pages by focusing on the main content. -- You can now attach Markdown files (*.md*, *.mdx*) to your Maia chat messages. Each file can be up to 50 KB, and you can attach as many as you need. The file contents are sent to Maia as context alongside your prompt. -- Maia Agent session can be saved by navigating **Help** > **Support Tools** > **Capture Maia Agent Session**, making it easier to share session details when troubleshooting or reporting issues. -- Data Transformers are now generally available. This allows you to transform complex JSON data, including cases that were never supported before. - - You can use a Data Transformer as a preprocessing step before passing the data into an Import Mapping, or use the transformed JSON directly, for example to send data to another system. - - Maia support has been added, so Maia can help creating and modifying Data Transformers. - - For more information, see [Data Transformer](/refguide/data-transformers/). +* We introduced a modernized **Variables** pane. It now preserves expanded nodes as you step through the debugger, so you no longer lose your place between steps. +* We improved offline synchronization error handling so that when the server rejects uploaded objects (for example, due to validation rules or security constraints), the synchronization action now throws a `PartialSynchronizationError` (as long as **Throw error when server rejects objects during synchronization** option is enabled). Nanoflow developers can catch this error in a try/catch block to present a message to the user or take corrective action. +* Toggling the web fetch tool in Maia preferences now takes effect immediately, without needing to relaunch Studio Pro. +* We added the ability for the user to see the current Studio Pro version through the Preferences API. +* We added a `documentAdded` event to the `IProjectChangesApi`, allowing extensions to react when a new document is added to the project. +* We added the ability to filter the comparison pane by change status (such as added, modified, deleted, or moved). Filters are persisted across sessions, and an indicator is shown when any filter differs from the default. +* We added sortable columns to the **Comparison** pane. You can now click any column header in the **Documents** or **Elements** views to sort the list, making it easier to find and group changes. +* We implemented a new function `DATEFORMAT` in OQL. For more details, see [OQL Expression Syntax](/refguide/oql-expression-syntax/#dateformat-function). +* We implemented two new functions in OQL: `RPAD` and `LPAD`. For more details, see the documentation for [LPAD](/refguide/oql-expression-syntax/#lpad-function) and [RPAD](/refguide/oql-expression-syntax/#rpad-function). +* You can now use Maia to work with theming and styling in Studio Pro. Maia can modify theme variables, create custom styling, and manage design properties—for example, updating colors, spacing, and typography across your app based on your styling requirements. +* Maia can now ask you clarifying questions before proceeding. When Maia needs more information, it will present one or more questions directly in the chat—supporting open-ended, single choice, and multiple choice answers—and use your responses to continue with the right approach. +* We released the Embedded Client in public Beta. You can now embed your Mendix app into any host application by configuring an [Embedded Navigation Profile](/refguide/navigation/#embedded) and following the instructions in the [Embedding the Client](/refguide/mendix-client/embedding-the-client/) guide. +* We added a `permissionsChanged` event to the Extension Permissions API, allowing extensions to be notified when permission states change. +* You can now add custom instructions on either project or module level. Project-level instructions will be added to every Maia conversation, while module-level ones will be added whenever Maia works with documents of a given module. +* Maia now thinks before responding. You can see what it is considering in real time, and revisit its reasoning at any point during the conversation. +* MCP OAuth authentication now uses a dedicated callback server on a fixed port range (44380–44384), enabling use with MCP servers that require pre-registered redirect URIs. +* MCP connections now support Mendix Identity (MxId3) authentication. MCP servers hosted on *.mendix.com automatically receive the user's platform access token. +* You can now add Maia Agent Instructions. Maia Instructions are agent instructions that are automatically added to the conversation context. You can add them to the project or module level. For more information, see [Maia Agent Instructions (AGENTS.md)](/refguide/maia-instructions/). +* We introduced the following new features to skills in Maia: + * A new **Skills** pane in Maia shows all custom skills that are currently loaded, their status, and which module they belong to (for module-level skills). You can filter the list to show only skills with errors. To apply the updated skills immediately, you can sync the skills. For more information, see [Skill Overview](/refguide/maia-agent-skills/#skill-overview) section in Maia Agent Skills. + * You can now add custom skills to non-protected app modules. These skills are exported together with other contents of the module. + * Maia now shows which custom skill (or which resource within a skill) it is drawing on while working, so you can follow along as it applies your project's conventions. +* We released a feature in public beta that lets you configure a custom LLM provider. In addition to the default Mendix Platform provider, you can now configure OpenAI-compatible providers or AWS Bedrock on a per-project basis. Mendix still recommends using the Mendix Platform provider for the best experience. For more information, see [Configuring a Custom AI Provider](/refguide/maia-make/#custom-provider). +* Maia is now better at fetching and understanding content from web pages by focusing on the main content. +* You can now attach Markdown files (*.md*, *.mdx*) to your Maia chat messages. Each file can be up to 50 KB, and you can attach as many as you need. The file contents are sent to Maia as context alongside your prompt. +* Maia Agent session can be saved by navigating **Help** > **Support Tools** > **Capture Maia Agent Session**, making it easier to share session details when troubleshooting or reporting issues. +* Data Transformers are now generally available. This allows you to transform complex JSON data, including cases that were never supported before. + * You can use a Data Transformer as a preprocessing step before passing the data into an Import Mapping, or use the transformed JSON directly, for example to send data to another system. + * Maia support has been added, so Maia can help creating and modifying Data Transformers. + * For more information, see [Data Transformer](/refguide/data-transformers/). ### Improvements #### Performance -- We reduced the time it takes to open an app in Studio Pro. -- We reduced the time it takes for Studio Pro and MxBuild to check the app for consistency errors. -- We fixed memory leaks that could cause increased memory consumption over time when using the App Explorer. -- We improved the performance of several editors (Page Editor, Workflow Editor, Microflow Editor and the new Domain Model Editor) +* We reduced the time it takes to open an app in Studio Pro. +* We reduced the time it takes for Studio Pro and MxBuild to check the app for consistency errors. +* We fixed memory leaks that could cause increased memory consumption over time when using the App Explorer. +* We improved the performance of several editors (Page Editor, Workflow Editor, Microflow Editor and the new Domain Model Editor) #### Progressive Web App Wrappers -- Progressive web app (PWA) wrappers are now in GA. This feature allows you to package a PWA as a native app, and is especially useful when you want to keep a web-based application architecture while distributing the app through app stores. For more information, see [PWA Wrapper](/refguide/mobile/pwa-wrapper/). +* Progressive web app (PWA) wrappers are now in GA. This feature allows you to package a PWA as a native app, and is especially useful when you want to keep a web-based application architecture while distributing the app through app stores. For more information, see [PWA Wrapper](/refguide/mobile/pwa-wrapper/). #### Other Improvements -- The **History** pane now shows the author name instead of the author email for each commit. The email address is still visible by hovering over the author name. -- We added the `forRemoval` and `since` attributes to the public Java API deprecated annotations. -- We improved performance of Studio Pro especially for App Explorer operations such as right mouse click, double click to open, etc. -- We updated the .NET Runtime to version 10.0.7. -- We added a confirmation dialog when enabling anonymous user access in App Security, warning that unrestricted anonymous roles may expose data unintentionally. -- We now allow microflow and entity parameters to be optional for Java actions. -- We renamed the Tracing tab to OpenTelemetry in the configurations in Studio Pro. -- We added the option to enable logs to be sent via OpenTelemetry in the OpenTelemetry configuration in Studio Pro. -- The endpoint in the OpenTelemetry configuration is now used for both traces and logs and should not end in "/v1/traces" anymore. It will be automatically updated during migration. -- Maia can now use system member properties of entities -- We reorganized AI preferences into separate tabs for better clarity. Maia settings and MCP Server settings are now displayed in their own dedicated tabs, making it easier to find and configure AI-related features. -- We improved the published REST service editor in Studio Pro. Form parameters cannot be a List, so Studio Pro no longer shows that as an option. -- **Find Advanced** now displays widgets grouped by platform type and ordered by name. -- The modernized JavaScript Action Editor is now enabled by default in Studio Pro. If you encounter any issues, you can revert to the legacy editor via **Preferences** > **New Features** > **Use the legacy JavaScript Action editor**. -- We improved cleanup of queued tasks that are owned by missing nodes. -- We improved observability for retrieve and other runtime operations by including XPath constraints, entity paths, object types, and microflow names in OpenTelemetry span names. -- Runtime nodes now automatically shut down when heartbeat updates fail or when the node's database entry is missing, improving cluster reliability and preventing orphaned nodes. -- Studio Pro will now always overwrite files from the `vendorlib` directory when importing modules. -- We improved the Comparison pane toolbar to show the compared revision hashes as clickable links for version-controlled apps, allowing you to navigate directly to the corresponding commit in the History pane. -- We added the `com.mendix.metrics.Metric.Builder.withTags(Map)` method to the public Java API. Using this method you can add multiple tags at once to a metric builder. -- You can now compare two revisions directly from the History Pane by selecting two commits and using the new Compare submenu in the context menu or the Compare toolbar dropdown. -- We significantly enhanced the performance of the history pane for a faster and smoother experience -- We now allow the browser to cache parts of the app bundle, fonts, and app icons. This will allow subsequent loads of the application in production feel faster to the user. -- We now automatically stop Gradle daemons when you exit Studio Pro, so unnecessary background processes no longer continue running. (Ticket 258422) -- We added the possibility to change the event type for boundary events in Workflows via context menu. -- We added document type icons to the modernized Debugger pane, making it easier to identify the type of document at each call stack entry. -- When developers use `addBlankPage` for `studioPro.model.pages`, we now require they provide a layout name and page name when creating a page. We have also introduced an added method, `addWidgetsToPageRoot`, that makes it easier to add widgets to the arguments of the layout of a page. -- The new Domain Model Editor also shows recommendations +* The **History** pane now shows the author name instead of the author email for each commit. The email address is still visible by hovering over the author name. +* We added the `forRemoval` and `since` attributes to the public Java API deprecated annotations. +* We improved performance of Studio Pro especially for App Explorer operations such as right mouse click, double click to open, etc. +* We updated the .NET Runtime to version 10.0.7. +* We added a confirmation dialog when enabling anonymous user access in App Security, warning that unrestricted anonymous roles may expose data unintentionally. +* We now allow microflow and entity parameters to be optional for Java actions. +* We renamed the Tracing tab to OpenTelemetry in the configurations in Studio Pro. +* We added the option to enable logs to be sent via OpenTelemetry in the OpenTelemetry configuration in Studio Pro. +* The endpoint in the OpenTelemetry configuration is now used for both traces and logs and should not end in "/v1/traces" anymore. It will be automatically updated during migration. +* Maia can now use system member properties of entities +* We reorganized AI preferences into separate tabs for better clarity. Maia settings and MCP Server settings are now displayed in their own dedicated tabs, making it easier to find and configure AI-related features. +* We improved the published REST service editor in Studio Pro. Form parameters cannot be a List, so Studio Pro no longer shows that as an option. +* **Find Advanced** now displays widgets grouped by platform type and ordered by name. +* The modernized JavaScript Action Editor is now enabled by default in Studio Pro. If you encounter any issues, you can revert to the legacy editor via **Preferences** > **New Features** > **Use the legacy JavaScript Action editor**. +* We improved cleanup of queued tasks that are owned by missing nodes. +* We improved observability for retrieve and other runtime operations by including XPath constraints, entity paths, object types, and microflow names in OpenTelemetry span names. +* Runtime nodes now automatically shut down when heartbeat updates fail or when the node's database entry is missing, improving cluster reliability and preventing orphaned nodes. +* Studio Pro will now always overwrite files from the `vendorlib` directory when importing modules. +* We improved the Comparison pane toolbar to show the compared revision hashes as clickable links for version-controlled apps, allowing you to navigate directly to the corresponding commit in the History pane. +* We added the `com.mendix.metrics.Metric.Builder.withTags(Map)` method to the public Java API. Using this method you can add multiple tags at once to a metric builder. +* You can now compare two revisions directly from the History Pane by selecting two commits and using the new Compare submenu in the context menu or the Compare toolbar dropdown. +* We significantly enhanced the performance of the history pane for a faster and smoother experience +* We now allow the browser to cache parts of the app bundle, fonts, and app icons. This will allow subsequent loads of the application in production feel faster to the user. +* We now automatically stop Gradle daemons when you exit Studio Pro, so unnecessary background processes no longer continue running. (Ticket 258422) +* We added the possibility to change the event type for boundary events in Workflows via context menu. +* We added document type icons to the modernized Debugger pane, making it easier to identify the type of document at each call stack entry. +* When developers use `addBlankPage` for `studioPro.model.pages`, we now require they provide a layout name and page name when creating a page. We have also introduced an added method, `addWidgetsToPageRoot`, that makes it easier to add widgets to the arguments of the layout of a page. +* The new Domain Model Editor also shows recommendations ### Fixes -- We upgraded Netty dependencies to fix CVE-2026-42578, CVE-2026-42583, CVE-2026-42587, CVE-2026-42585, CVE-2026-42584, CVE-2026-42581, CVE-2026-42580, CVE-2026-41417, CVE-2026-42577, CVE-2026-42579. (Tickets 278202, 278290, 277691, 278290) -- In the React client, we now copy files from a pluggable widget's `assets` subdirectory into the widget's directory under `dist/` during bundling, even when they are not directly imported by the widget. (Ticket 274514) -- We fixed an issue that caused the Generate pages dialog to not be scrollable. (Ticket 274661) -- We fixed an issue with the client where passing an empty string as a parameter to an on change microflow triggered an error. (Ticket 276118, 278248) -- We fixed an issue in published OData services in Studio Pro where changing the type or owner of an association that was published in an OData service would change the service's metadata without the user realizing it. Now there is a consistency error that the user can resolve to update the metadata (Ticket 276897). -- We fixed an issue where a native mobile app crashed with a synchronization error on startup when a user role did not have access to a module whose entity was included in the app's offline synchronization profile. The app now completes synchronization and returns no objects for that entity, matching the behavior of the previous XPath-based synchronization. (Ticket 277538) -- We fixed an issue where an Oops pop-up window appeared when a microflow or nanoflow was configured with a return value mapping which was referring to an attribute but was not enclosed within a data view. (Ticket 278235) -- We fixed an issue where Studio Pro crashed when pasting content from the clipboard while another application was also accessing the clipboard. (Ticket 278333) -- We fixed a race condition where the value setter for some widgets (for example, **ListView** would execute on a 'destroyed' value store. This would cause a crash when opening pages with **ListView**). (Ticket 280988) +* We fixed an arbitrary code execution vulnerability in Studio Pro. (5.4 – CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N – for more information see [Security Advisories](/releasenotes/security-advisories/#48192)) +* We upgraded Netty dependencies to fix CVE-2026-42578, CVE-2026-42583, CVE-2026-42587, CVE-2026-42585, CVE-2026-42584, CVE-2026-42581, CVE-2026-42580, CVE-2026-41417, CVE-2026-42577, CVE-2026-42579. (Tickets 278202, 278290, 277691, 278290) +* In the React client, we now copy files from a pluggable widget's `assets` subdirectory into the widget's directory under `dist/` during bundling, even when they are not directly imported by the widget. (Ticket 274514) +* We fixed an issue that caused the Generate pages dialog to not be scrollable. (Ticket 274661) +* We fixed an issue with the client where passing an empty string as a parameter to an on change microflow triggered an error. (Ticket 276118, 278248) +* We fixed an issue in published OData services in Studio Pro where changing the type or owner of an association that was published in an OData service would change the service's metadata without the user realizing it. Now there is a consistency error that the user can resolve to update the metadata (Ticket 276897). +* We fixed an issue where a native mobile app crashed with a synchronization error on startup when a user role did not have access to a module whose entity was included in the app's offline synchronization profile. The app now completes synchronization and returns no objects for that entity, matching the behavior of the previous XPath-based synchronization. (Ticket 277538) +* We fixed an issue where an Oops pop-up window appeared when a microflow or nanoflow was configured with a return value mapping which was referring to an attribute but was not enclosed within a data view. (Ticket 278235) +* We fixed an issue where Studio Pro crashed when pasting content from the clipboard while another application was also accessing the clipboard. (Ticket 278333) +* We fixed a race condition where the value setter for some widgets (for example, **ListView** would execute on a 'destroyed' value store. This would cause a crash when opening pages with **ListView**). (Ticket 280988) Users can now select one row, hold Shift, and select another row to select all rows in between. -- We fixed the row range selection shortcut in the modernized **Console**. -- We made permission state persist when replacing a module that contains an extension with permissions -- We added a small delay between retries of saving conflicting project files due to rare occurrences of race conditions. -- We fixed an issue where constants from protected modules were not exported when creating a portable app deployment package using MxBuild. -- We fixed an issue where switching the schema source in an import & export mapping (for example, from JSON structure to Message definition) caused mapping elements from the previous source to remain visible on the canvas alongside elements from the new source. -- We fixed a potential freeze of Studio Pro when an error dialog would be shown on startup. -- We fixed an issue where exporting a Portable App Package could fail because file copy operations were performed outside the default file-system scope. -- We fixed the alignment of the breakpoints within the **Breakpoints** pane and fixed the changing row height whenever the breakpoint is toggled. -- We fixed an issue where copying attributes from view entities could result in non-editable attributes in persistent entities. Existing affected attributes are now automatically fixed when opening the app, and copying these attributes is now blocked to prevent new invalid attributes. -- We fixed an issue where Maia could accidentally generate broken Call REST Service action and Call Web Service action in a microflow. -- We fixed an issue where Toolbox categories with the same caption would appear as duplicate sections each time the Toolbox refreshed. -- We fixed the issue where `DELETE` OQL statement with an alias on the table would lead to a database exception. -- We fixed a visual bug affecting **Call a nanoflow** action properties of widgets. Depending on the order in which the actions were configured, nanoflow settings of a different property would get displayed. -- We fixed an issue where Maia Explain triggered a new chat session instead of continuing in the active chat session. -- We addressed an issue where the Native App Builder would fail when the project and Mendix Studio Pro are on different drive locations. -- We fixed a crash that occurred when launching the Native App Builder UI (NBUI) a second time while a previous instance was still being tracked. -- We fixed an issue where Studio Pro erroneously showed a security consistency error when a microflow or nanoflow's return value mapping referred to an attribute that was not within its direct enclosing data view. -- When calling an external OData service action, additional attributes for optional parameters are now correctly sent even if the parameter has no value specified. -- We fixed an issue in the published REST service editor in Studio Pro where parameters with unknown type would be shown as having type Boolean. -- To improve supportability of add-on and solution modules, we added an option to enable detailed troubleshooting in the module settings, which is enabled by default. When enabled, consumers of these modules will see consistency errors similar to regular app modules instead of the non-descriptive CE1707 error. -- We fixed an issue that could cause the **History** pane to unexpectedly crash. -- We fixed OAuth metadata discovery failing with CORS errors when connecting to MCP servers that require proxied requests. -- MCP tool names are now sanitized and truncated to comply with LLM provider requirements, preventing connection errors caused by long server URLs or non-ASCII tool names. -- We fixed an issue where documents and folders could not be moved into Marketplace modules in the modernized **App Explorer**. -- We fixed an issue in the modernized **App Explorer** where the context menu opened at the cursor position instead of the selected item when pressing the Shift+ F10 keyboard shortcut. -- We fixed an issue where the **App Explorer** did not receive focus after creating a new folder. -- We fixed an issue where tabbing back into the modernized **App Explorer** tree would start keyboard navigation from the previously focused node instead of the active document node. -- View entities can no longer be copied via the modernized **App Explorer**. Copy actions—whether triggered through the **Edit** menu, keyboard shortcut, or context menu—are now disabled for view entities, since they are derived from a domain model entity and cannot exist independently. -- We fixed an issue where startup failed in a leaderless cluster on a SQL Server database that did not yet have [Read Committed Snapshot Isolation](/developerportal/deploy/setting-up-a-new-sql-server-database/#enabling-read-committed-snapshot-isolation-level-and-snapshot-isolation) enabled. -- We fixed an issue in the modernized **App Explorer** where in certain cases node labels would wrap and the expand/collapse icon would grow too large when resizing the panel. -- We fixed an issue when using the Rollup bundler with the React client. -- We fixed an issue where a renaming a user would cause the authtoken to become invalid. -- We fixed a rare race condition related to authtokens. -- We fixed an issue where a **"Stopping debugging session..."** progress dialog appeared when stopping debugging while not connected to a runtime. -- We fixed an issue where a runtime error would trigger when a **View Entities** query was open during app startup. - +* We fixed the row range selection shortcut in the modernized **Console**. +* We made permission state persist when replacing a module that contains an extension with permissions +* We added a small delay between retries of saving conflicting project files due to rare occurrences of race conditions. +* We fixed an issue where constants from protected modules were not exported when creating a portable app deployment package using MxBuild. +* We fixed an issue where switching the schema source in an import & export mapping (for example, from JSON structure to Message definition) caused mapping elements from the previous source to remain visible on the canvas alongside elements from the new source. +* We fixed a potential freeze of Studio Pro when an error dialog would be shown on startup. +* We fixed an issue where exporting a Portable App Package could fail because file copy operations were performed outside the default file-system scope. +* We fixed the alignment of the breakpoints within the **Breakpoints** pane and fixed the changing row height whenever the breakpoint is toggled. +* We fixed an issue where copying attributes from view entities could result in non-editable attributes in persistent entities. Existing affected attributes are now automatically fixed when opening the app, and copying these attributes is now blocked to prevent new invalid attributes. +* We fixed an issue where Maia could accidentally generate broken Call REST Service action and Call Web Service action in a microflow. +* We fixed an issue where Toolbox categories with the same caption would appear as duplicate sections each time the Toolbox refreshed. +* We fixed the issue where `DELETE` OQL statement with an alias on the table would lead to a database exception. +* We fixed a visual bug affecting **Call a nanoflow** action properties of widgets. Depending on the order in which the actions were configured, nanoflow settings of a different property would get displayed. +* We fixed an issue where Maia Explain triggered a new chat session instead of continuing in the active chat session. +* We addressed an issue where the Native App Builder would fail when the project and Mendix Studio Pro are on different drive locations. +* We fixed a crash that occurred when launching the Native App Builder UI (NBUI) a second time while a previous instance was still being tracked. +* We fixed an issue where Studio Pro erroneously showed a security consistency error when a microflow or nanoflow's return value mapping referred to an attribute that was not within its direct enclosing data view. +* When calling an external OData service action, additional attributes for optional parameters are now correctly sent even if the parameter has no value specified. +* We fixed an issue in the published REST service editor in Studio Pro where parameters with unknown type would be shown as having type Boolean. +* To improve supportability of add-on and solution modules, we added an option to enable detailed troubleshooting in the module settings, which is enabled by default. When enabled, consumers of these modules will see consistency errors similar to regular app modules instead of the non-descriptive CE1707 error. +* We fixed an issue that could cause the **History** pane to unexpectedly crash. +* We fixed OAuth metadata discovery failing with CORS errors when connecting to MCP servers that require proxied requests. +* MCP tool names are now sanitized and truncated to comply with LLM provider requirements, preventing connection errors caused by long server URLs or non-ASCII tool names. +* We fixed an issue where documents and folders could not be moved into Marketplace modules in the modernized **App Explorer**. +* We fixed an issue in the modernized **App Explorer** where the context menu opened at the cursor position instead of the selected item when pressing the Shift+ F10 keyboard shortcut. +* We fixed an issue where the **App Explorer** did not receive focus after creating a new folder. +* We fixed an issue where tabbing back into the modernized **App Explorer** tree would start keyboard navigation from the previously focused node instead of the active document node. +* View entities can no longer be copied via the modernized **App Explorer**. Copy actions—whether triggered through the **Edit** menu, keyboard shortcut, or context menu—are now disabled for view entities, since they are derived from a domain model entity and cannot exist independently. +* We fixed an issue where startup failed in a leaderless cluster on a SQL Server database that did not yet have [Read Committed Snapshot Isolation](/developerportal/deploy/setting-up-a-new-sql-server-database/#enabling-read-committed-snapshot-isolation-level-and-snapshot-isolation) enabled. +* We fixed an issue in the modernized **App Explorer** where in certain cases node labels would wrap and the expand/collapse icon would grow too large when resizing the panel. +* We fixed an issue when using the Rollup bundler with the React client. +* We fixed an issue where a renaming a user would cause the authtoken to become invalid. +* We fixed a rare race condition related to authtokens. +* We fixed an issue where a **"Stopping debugging session..."** progress dialog appeared when stopping debugging while not connected to a runtime. +* We fixed an issue where a runtime error would trigger when a **View Entities** query was open during app startup. ### Breaking Changes -- We removed the elements helper methods (`add*()`, `get*()`, `getContainer()`, `delete()`) from the model api types -- Studio Pro on macOS now runs natively on Apple Silicon (arm64). Studio Pro, Version Selector, and command line tools are all built as native Apple Silicon binaries, so they no longer require Rosetta 2 translation layer, resulting in significantly improved performance. Intel-based Macs are no longer supported. +* We removed the elements helper methods (`add*()`, `get*()`, `getContainer()`, `delete()`) from the model api types +* Studio Pro on macOS now runs natively on Apple Silicon (arm64). Studio Pro, Version Selector, and command line tools are all built as native Apple Silicon binaries, so they no longer require Rosetta 2 translation layer, resulting in significantly improved performance. Intel-based Macs are no longer supported. ### Known Issues diff --git a/content/en/docs/releasenotes/studio-pro/11/11.6.md b/content/en/docs/releasenotes/studio-pro/11/11.6.md index 1fe24595592..ef512cae6cb 100644 --- a/content/en/docs/releasenotes/studio-pro/11/11.6.md +++ b/content/en/docs/releasenotes/studio-pro/11/11.6.md @@ -47,6 +47,7 @@ Mendix Portable Runtime (previously called Portable App Distribution) packages y ### Fixes +* We fixed an arbitrary code execution vulnerability in Studio Pro. (5.4 – CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N – for more information see [Security Advisories](/releasenotes/security-advisories/#48192)) * We have upgraded Netty dependencies to fix CVE-2026-42578, CVE-2026-42583, CVE-2026-42587, CVE-2026-42585, CVE-2026-42584, CVE-2026-42581, CVE-2026-42580, CVE-2026-41417, CVE-2026-42577, CVE-2026-42579. (Tickets 278202, 278290, 277691, 278290) * We fixed an issue when Studio Pro was unable to find Git after a fresh installation if it was run from installer. (Tickets 232343, 232540, 232452, 234800, 231989) * We fixed an issue where a native mobile app crashed with a synchronization error on startup when a user role did not have access to a module whose entity was included in the app's offline synchronization profile. The app now completes synchronization and returns no objects for that entity, matching the behavior of the previous XPath-based synchronization. (Ticket 241791)