Release 26.04.20-01

Release: v26.04.11-02 → v26.04.20-01

Caution

Rollback Warning: This release contains irrevertable changes that are non-trivial to rollback from.

• Content Indexing API: ContentletIndexAPI.fullReindexStart() now returns IndexStartResult instead of String; ES-specific types (BulkRequest, BulkProcessor, ActionListener) removed from the interface — callers must be updated before rollback is possible. (#35289)
• GraphQL Permissions: Anonymous relationship-field queries now return PERMISSION_DENIED in the errors array instead of Internal Server Error; rolling back restores the broken 500 behavior for anonymous GraphQL consumers. (#35038)

Features & Enhancements

• Identifier: Adds base_type column and idx_identifier_base_type index to the identifier table, backfilled in batches via PopulateIdentifierBaseTypeJob — enables faster content-type-aware queries without joins to structure. (#35164)
• Content Indexing: Migrates ContentletIndexAPIImpl to a vendor-neutral phase-aware router, enabling dual-write to both Elasticsearch and OpenSearch backends during the ES→OS migration. (#35289)
• Edit Content: Workflow command bar now renders all actions as individual inline buttons (with an overflow menu for 4+), replacing the split-button pattern so all actions are immediately discoverable. (#35290)
• File Browser: Uploaded files are now automatically selected and the Add button immediately enabled after a successful upload, eliminating the extra click. (#35301)
• UVE: Same-page navigation (hash-only or query-only URL changes) no longer triggers a full page reload in the editor canvas. (#35326)
• UVE: Quick-edit panel gains a Cancel button that restores the last saved snapshot; container labels in the row-reorder palette now show a tooltip for truncated titles. (#35374)
• Content Drive: Adds an Edit Permissions option to the folder context menu, opening the existing permissions portlet in a dialog (shown only when the user holds EDIT_PERMISSIONS). (#35327)
• Content Drive / Edit Content: Pre-fills the Host/Folder field when creating a contentlet from a folder context in the legacy browser. (#35322)
• Bundle Management: New REST endpoints POST /api/v1/bundles/assets and DELETE /api/v1/bundles/{bundleId}/assets replace the legacy JSP-based bundle asset management with partial-success semantics and in-progress bundle guards. (#35024)
• Maintenance Portlet: New REST endpoints GET /api/v1/caches, GET /api/v1/caches/stats, and DELETE /api/v1/caches/region/{regionName} replace JSP-based cache management; also fixes missing resetAllPermissionReferences() side-effect on the existing provider flush endpoint. (#35218)
• Portlets: Adds push publish action to the Plugins portlet context menu (requires enterprise license and configured environments); standardizes UI across Locales, Tags, and other portlets. (#35311)
• UVE: Visual polish pass across UVE 2.0 — responsive sidebar widths, palette thumbnail and hover improvements, style editor form consistency, and row-reorder hover fill. (#35343)

Fixes and Known Issues

• Edit Content: Block editor field now correctly parses JSON strings returned by the API during content translation, preventing raw JSON from displaying as plain text. (#35247)
• Edit Content: Switching to an untranslated locale now clears inode and resets the workflow step, so default workflow actions (e.g. "Save as Draft") are shown instead of the original contentlet's actions. (#35309)
• Tasks Portlet: Task Detail dialog now opens correctly for content types using the new edit mode, since the edit-task handler always uses the legacy task detail path. (#35312)
• GraphQL: Anonymous queries traversing relationship fields no longer return Internal Server Error — denied access now surfaces as PERMISSION_DENIED in the errors array. (#35038)
• Content Types API: The ensure parameter no longer causes the ensured item to appear twice or permanently omit a displaced item from paginated results. (#35300)
• Vanity URLs: Restores the trailing slash on /c/ in BACKEND_FILTERED_COLLECTION, preventing the prefix from incorrectly matching all URLs starting with the letter "c". (#35346)
• Push Publish: Fixes NPE, missing content, and "Conflicts between Folders" errors when push-publishing a renamed folder by bumping version_ts on contained assets and re-keying child subfolder identifiers. (#35298)
• Reindex: Eliminates a TOCTOU race in ReindexThread by creating a fresh BulkProcessorListener and IndexBulkProcessor per batch, preventing silent record loss from concurrent rebuild signals. (#35323)
• OpenSearch: OSIndexAPIImpl now loads os-content-settings.json (the file that actually exists) so indices are always created with my_analyzer, fixing HTTP 400 errors from addCustomMapping on OS 3.4.0. (#35349)
• OpenSearch: Phase 3 (OPENSEARCH_ONLY) no longer queries the decommissioned ES cluster or recreates ES indices on checkAndInitializeIndex() cycles. (#35356)
• OpenSearch: OSIndexAPIImpl.getClosedIndexes() is now implemented, fixing HTTP 404 on all subsequent operations after closing an OS index. (#35352)
• Feature Flags: DotPropertiesService.getFeatureFlag() now correctly handles native JSON boolean values from the config endpoint, fixing the Style Editor tab being hidden despite the flag being enabled. (#35332)
• UVE: Workflow actions in the UVE toolbar are restored to the p-splitButton grouped layout; the inline-buttons behavior introduced in #35290 is preserved for Edit Content. (#35361)
• Rules Engine: /api/portlet/rules/include now returns HTTP 400 for missing/malformed IDs and HTTP 404 for unmatched IDs, replacing a JasperException HTML error page; also fixes an XSS vector in the JSP script block. (#35337)
• Security: Upgrades commons-beanutils (CVE-2025-48734), commons-io (CVE-2024-47554), guava (CVE-2023-2976), bouncy-castle (CVE-2023-33202), and commons-lang3 (CVE-2025-48924); adds OWASP suppressions for 21 Elasticsearch client false positives. (#35236)
• Database: Fixes a connection leak visible in logs approximately 30 minutes after dotCMS startup. (#35120)
• Next.js SDK Example: Restores @dotcms/react, @dotcms/types, and @dotcms/uve dependencies to latest published versions, fixing broken installs for anyone cloning the example. (#35357)
• Portlets UI: Standardizes search box widths, fixes the content compare version dropdown not showing a selected value on first load, and corrects Categories import dialog layout overflow. (#35341)

Infrastructure & Security

• UVE Store: Refactors UVE store to a single-source-of-truth model via computed signals ($page(), $site(), etc.), removing duplicated state fields and renaming GraphQL-specific properties to implementation-agnostic names. (#34173)
• Dependencies: Removes the com.dotcms.lib:dot.guava repackaged artifact and migrates all 240 com.dotcms.repackage.com.google.common.* imports to standard com.google.common.*. (#35315)
• OWASP: Wires owasp-suppressions.xml to the dependency-check Maven plugin — the suppression file existed since 2024 but was never referenced, causing 21 false-positive CVEs to appear in every scan. (#35340)
• SDK Publishing: Introduces a single VERSION file as the source of truth for all SDK package versions, fixing @next publish collisions caused by per-package version drift. (#35110)
• OpenSearch Tests: Adds 20 integration tests for ContentFactoryIndexOperationsOS against a live OS 3.x container, and fixes cache key stability, sort unmappedType, scroll track_total_hits, and missing SearchHit.index bugs discovered during testing. (#35317)
• CI: Upgrades the Claude orchestrator to v2.1.0, adding a pre-flight Anthropic API availability check so PR pipelines skip gracefully during service outages instead of failing. (#35336)
• Starter: Bumps the empty starter deploy version to empty_20260331, ensuring fresh installs include the correct Plugins portlet layout configuration. (#35364)
• Docker: Fixes a FileNotFoundException stack trace logged by the opensearch-performance-analyzer plugin on every opensearch-upgrade container startup. (#35359)
• JSP Cleanup: Removes 9 unused imports from view_unpushed_bundles.jsp. (#35362)