Release notes for Magnolia DX Core 6.4.2

Delivered on January 26, 2026 • Changelog: 22603

Magnolia 6.4.2 is centered on platform stability, security, and infrastructure flexibility, highlighted by the introduction of native Azure Blob Storage support for DAM. This integration brings full feature parity with our existing S3 support, allowing you to store heavy asset binaries in your preferred cloud container while maintaining a seamless authoring experience. We have also upgraded the CKEditor 5 to v47, transitioning to modernized installation methods that ensure a more robust and future-proof editing environment.

For developers, this release streamlines maintenance with a new filtering option in the Definitions app, designed to help you quickly isolate and inspect project-specific modules. We have also enhanced the Webhooks module, replacing deprecated parameters with clearer properties for handling request bodies and context to support more complex integrations.

Finally, we have reinforced system integrity through essential security hardening measures across the platform. These improvements include stricter content validation for the HTML component in the Magnolia Templating Kit (MTK) and new depth and complexity limits for GraphQL queries to protect against potential performance vulnerabilities.

There are minor breaking changes in this release:

What’s new

Azure Blob Storage for DAM

We have expanded our decoupled storage architecture to support Azure Blob Storage as a native external storage provider for DAM. This functionality is handled by the new Azure Blob submodule.

Previously available only for AWS S3, this integration allows you to store heavy asset binaries externally in your Azure container while keeping lightweight metadata within the local JCR workspace. This feature achieves full feature parity with our existing S3 integration, ensuring a seamless experience for both developers and content authors.

Key Benefits:

  • Infrastructure flexibility: Support for the two leading cloud providers allows you to align your DAM storage strategy with your existing organizational infrastructure (Azure or AWS).

  • Seamless authoring: The AdminCentral UI remains unchanged; authors interact with assets exactly as they did before, regardless of where the binaries are hosted.

  • Simplified configuration: The setup process for Azure mirrors the established configuration patterns used for S3, reducing the learning curve for system administrators.

Improvements

CKEditor 5 upgraded to v47

This major update brings the latest CKEditor features and improvements to editors in Magnolia, such as bookmarks (v44), table enhancements (v47), and so on. See the CKEditor 5 changelog and past release notes for more editor- and developer-focused improvements since v41.

CKEditor 5 custom builds

Custom builds based on CKEditor 5 v41 remain compatible and continue to work, in particular with the 1.0.x series of @magnolia/ckeditor5-plugins.

However, when upgrading custom builds to v47, they must undergo several breaking changes:

SafeHtml validator and list item ids

CKEditor 5 v47 automatically adds a data-list-item-id attribute to <li> tags. See the v46 release notes entry for details.

If you maintain your own safeHtml validator configuration on individual $richTextField definitions or override the default global config, this causes a validation error and prevents saving changes.

Resolution: Add the following allowedAttributes entry to your safeHtml config.

/ui-framework-core/config.yaml
validators:
safeHtml:
  class: info.magnolia.ui.field.SafeHtmlValidatorDefinition
  allowedAttributes:
    lists:
      tag: li
      attributes: [ "data-list-item-id" ]
If you’re unsure whether your project has a safeHtml configuration, you can run a search in your light module or resource directories.

Filter by project modules in the Definitions app

You can now configure the Definitions app to filter displayed items based on a specific list of project modules. This is particularly helpful when migrating to Magnolia 6.4 to isolate and fix issues in your own code base.

For more, see Filtering project modules.

  • CFGUI-240 Add Project modules filter option

Webhooks and REST clients

In the Webhooks module, the queryParameters property is now deprecated. It is replaced by two new properties that offer better handling of request bodies and context: parameters and restClientContext.

  • parameters: Use this property as a direct replacement for queryParameters.

    When using the deprecated queryParameters with a POST method, custom values were often excluded from the request body. The new parameters property ensures that all custom values are correctly included in the POST body.

  • restClientContext: Use this property when working with a predefined REST client.

    This property allows you to pass values directly to your REST client definition, giving you full control to map these values to specific request locations (headers, query parameters, or body) within the REST client configuration.

Don’t use queryParameters and parameters simultaneously. If both are present, the deprecated queryParameters takes precedence to ensure backward compatibility.

  • MGNLHOOK-385 Expand the Webhooks module to include dynamic content

  • MGNLRESTCL-247 Allow invoking the REST client without automatically appending custom values as query parameters

Hybrid Assets incubator module Azure-stored assets are displayed in DAM 6

Also, we add support to current customers that are using the Hybrid Assets incubator module with Azure in Magnolia 6.2, to use or migrate their assets to new DAM 6."

Other improvements

  • MGNLSITE-233 Facilitate CSP headers configuration for projects

    For more details, see Content-Security-Policy (CSP) filter.

  • MGNLUI-9038 Add a property to configure Vaadin’s DataCommunicator maximumAllowedRows

    You can now set the global property magnolia.selectField.maximumAllowedRows (default is 500) to increase the limit of items fetched by selection fields.

    This prevents IllegalStateException errors when displaying large datasets in AdminCentral components like twinColSelectField.

  • MGNLUI-9351 Remove custom code that is handling the X-Forwarded- headers

  • MULTISITE-227 Configurable way to end links with slash on Multisite

  • WARPFORM-995 Partial support for Vaadin actions (Backend)

  • WARPFORM-1166 Link field text widget should always show path representation

Security improvements

BUILD-1501, BUILD-1502, BUILD-1506, MAGNOLIA-9881, MGNLCE-429, MGNLGQL-202, MGNLGQL-203, MGNLRESTCL-246, MTE-177

We keep the details of security fixes private in line with our security policy. Stay informed on the latest security updates by subscribing to our Security Announcements list. Contact our Support team if you need more information.

Discontinued URL session tracking by default

Since this version, Magnolia provides an opinionated default session tracking mode, using cookies exclusively. This effectively improves security by ensuring Tomcat never falls back to the URL tracking mode, which could expose session IDs in initial redirect URLs. The COOKIE session tracking mode mitigates session fixation or accidental leaks by users.

For projects inheriting Magnolia’s default web.xml via war overlays, this new default comes in automatically. If you require clients which do not support cookies, you may override the web.xml and reinstate the URL <tracking-mode> explicitly.

For projects with a custom web.xml, we recommend you add or verify presence of the snippet below:

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

HTML component validation in MTK

To harden security in the Magnolia Templating Kit (MTK), the HTML component there now enforces strict content validation.

The component dialog uses the info.magnolia.ui.field.SafeHtmlValidatorDefinition class to ensure that only safe HTML tags, attributes, and protocols are accepted. This is the same standard validator used by default in the Rich text field.

  • Scenario: If you edit an existing HTML component that contains content not present in the allowed list (such as <script> tags, onclick attributes, or javascript: protocols), the validator blocks the action.

  • Resolution: You are unable to save your changes until the disallowed content is removed or the validator configuration is adjusted.

Configuration

The validator is applied to the editHTML field in the component dialog definition (/mtk2/dialogs/components/html.yaml). It’s configured with a strict allowed* list of standard HTML tags and attributes. You can customize this list or remove the validator entirely (at your own risk) by overriding the dialog definition.

For more information on the validator class, see Global validators.

Security hardening in the GraphQL module

This release also introduces query complexity analysis and depth limiting to the GraphQL module, protecting instances against potential denial-of-service (DoS) attacks. Existing queries continue to function with the new conservative default limits.

What’s new:

  • Query complexity limiting: By default, queries are limited to a maximum of 200 fields.

  • Query depth limiting: The maximum depth of a query is now 15 levels by default.

  • Field duplication detection: Duplicate fields in a query now count toward the complexity limit.

You can adjust these limits through the module’s configuration.

Additionally, client applications now receive more accurate HTTP response status codes, distinguishing between client-side and server-side errors. This change improves the debugging experience and aligns with REST/HTTP best practices.

Scenario HTTP code before HTTP code now

ValidationError (for example, DuplicateDirectiveName, FieldUndefined, UnusedVariable)

500

400

Query batching (JSON array format)

500

400

Malformed JSON in request body

500

400

Bug fixes

  • ADMINCTR-636 Incorrect filter order in publishing configuration causes failures

  • LOGTOOLS-21 Handle empty log directory gracefully in Log Tools app

  • MAGNOLIA-9859 Link management – Transformer fails to create bean for node

  • MGNLPN-816 Variant marker isn’t displayed at new page import

  • MGNLPN-865 Duplicating a page with variants is missing the icon indicator

  • MGNLREST-900 REST API returns HTML instead of JSON on 401 Unauthorized

  • MGNLUI-8663 Show versions action always shows latest version on custom content apps

  • MGNLUI-9123 Searching can push selected items out of view

  • MGNLUI-9262 jcrMultiLinkField doesn’t maintain the order in which the nodes were selected

  • MGNLUI-9327 JcrSelectFieldSupport is no longer public

  • MGNLUI-9349 Links inside the compositeFields aren’t correctly rewired on Livecopy creation

  • PAGES-1792 Vaadin error occurs when clicking on external components

Deprecations

CKEditor 4

With this upgrade, the CKEditor 4 is deprecated and in the maintenance mode only.

timeToLive property in REST

The timeToLive configuration property for REST delivery endpoints has been deprecated with this release. Previously, using this property could result in duplicated Cache-Control headers.

Caching behavior for endpoints should now be managed centrally via the Cache modules. To enable caching for REST endpoints, which often utilize URLs without file extensions, you should adjust the emptyExtensionVote property in your cache configuration.

To cache REST endpoints, set the emptyExtensionVote property to false at the following configuration path:

/modules/cache/config/contentCaching/defaultPageCache/browserCachePolicy/policies/dontCachePages/voters/contentType

For more configuration details, see Cache control directives.

  • MGNLREST-896 Deprecate the timeToLive config for delivery endpoints

Updated modules

Bundled modules included with this release.

  • Admincentral 6.4.1

  • CKEditor 5 Build 2.0.0

  • Community Edition 6.4.2

  • Content Editor 4.0.2

  • DAM App 6.0.2

  • DAM 6.0.2

  • DX Core 6.4.2

  • Definitions App 4.0.2

  • Demo Projects 6.4.2

  • GraphQL 3.0.1

  • Log Tools 3.0.1

  • Magnolia 6.4.2

  • Multiple Pages Apps 3.0.1

  • Multisite 4.0.1

  • Pages 6.4.1

  • Personalization 4.0.1

  • Publishing Transactional 3.0.1

  • Publishing 4.0.2

  • REST Client 4.0.1

  • REST Framework 4.0.2

  • Repository Tools 3.0.1

  • Site 3.0.1

  • Templating Essentials 4.0.1

  • Third-party library BOM for Extensions 6.4.2

  • Third-party library BOM 6.4.2

  • UI 6.4.2

  • Usage Metrics 3.0.1

  • Vaadin Compatibility Addons 2.0.1

  • Warp Forms 1.0.2

  • Webhooks 3.0.1

Unbundled modules

Unbundled modules released since Magnolia 6.4.1.

Acknowledgements

The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better.

Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules