Release notes for Magnolia CMS 6.2.68

LTS release • Delivered on December 18, 2025 • Changelog: 22096

Magnolia 6.2.68 is primarily a security release. It also introduces improvements, including a new configurable option to enforce trailing slashes on generated links and another to configure a lighter full-text search index.

Improvements

Security improvements

MAGNOLIA-9787, MAGNOLIA-9788, MGNLGQL-202, MGNLGQL-203, MGNLMAIL-214, MGNLREST-885, MGNLTOMCAT-64

We keep the details of security fixes private in line with our security policy. Stay informed on the latest security updates by subscribing to our Security Announcements list. Contact our Support team if you need more information.

Configure Magnolia (on Tomcat) behind a reverse proxy

The default RemoteIpValve configuration is included in Magnolia bundles out of the box. This page explains how to set up Magnolia with Tomcat behind a proxy such as Nginx or Apache, detailing the use of X-Forwarded headers and Tomcat’s RemoteIpValve to address common issues.

Security hardening in the GraphQL module

This release introduces query complexity analysis and depth limiting to the GraphQL module, protecting instances against potential denial-of-service (DoS) attacks. Existing queries continue to function with the new conservative default limits.

What’s new:

  • Query complexity limiting: by default, queries are limited to a maximum of 200 fields.

  • Query depth limiting: the maximum depth of a query is now 15 levels by default.

  • Field duplication detection: duplicate fields in a query now count toward the complexity limit.

You can adjust these limits through the module’s configuration.

Additionally, client applications now receive more accurate HTTP response status codes, distinguishing between client-side and server-side errors. This change improves the debugging experience and aligns with REST/HTTP best practices.

Scenario HTTP code before HTTP code now

ValidationError (for example, DuplicateDirectiveName, FieldUndefined, UnusedVariable)

500

400

Query batching (JSON array format)

500

400

Malformed JSON in request body

500

400

Miscellaneous

  • MGNLTOMCAT-67 Update org.apache.tomcat:tomcat version to 9.0.113

Updated modules

Bundled modules included with this release.

  • Barebones Tomcat Bundle 1.2.43

  • Community Edition 6.2.68

  • DX Core 6.2.68

  • GraphQL 1.1.11

  • Magnolia 6.2.68

  • Mail 5.6.5

  • Multisite 2.1.8

  • Publishing 1.3.21

  • REST Framework 2.2.35

  • Third-party library BOM 6.2.68

  • Tools 1.9.4

  • UI 6.2.68

  • Webhooks 1.0.5

Unbundled modules

Unbundled modules released since Magnolia 6.2.67.

Acknowledgements

The Magnolia team would like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better.

Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules