Flowable 2025.2.x Release Notes

Initial release 2025.2.01, December 16, 2025

Introduction

The Flowable product comprises:

• Flowable Work, a process and case management platform with an out-of-the-box user interface.
• Flowable AI Studio, an agentic case platform that allows you to build AI-driven solutions.
• Flowable Engage, built on top of Flowable Work, adding conversations and external connectivity to WeChat, Whatsapp and others.
• Flowable Design, a modeling environment to create BPMN, CMMN, DMN, Form and other model types that run in Platform/Work/Engage.
• Flowable Control, an administration tool that can be used to manage the Flowable Platform / Work / Engage environments.
• Flowable Inspect, a debugging and test component that can be used with Flowable Work and Engage.

These products are built on top of the Flowable Open Source project which can be found at Github.

Documentation

• Documentation home

• The Flowable Engage User Guide

• The Flowable Work User Guide

The Flowable Open Source project also has extensive documentation available which can be found at https://www.flowable.com/open-source/docs/oss-introduction.

Highlights

Flowable AI Studio

• Added support for AI chat to the process, case, decision, form, service, agent, event, channel, data dictionary, data object model editors to allow using prompts to add new elements and new properties, or bulk update properties in the model.

• Added support for AI chat in the app overview to get information about the models in the app using prompts, like getting an overview where a specific variable is used, or get all variables used in the app etc.

• Added support for external agents implementing the A2A specification.

• Added support to define tools for a utility agent to allow a LLM to fetch information from a tool when needed. Tools can be services or agents and therefore can get information from a wide variety of options, including script logic, REST services, and other agents.

• Added a timeline visualisation in Control to show the requests and responses of an agent instance, including LLM calls, tool calls etc. For each entry in the timeline a detailed view with the request and response message information is shown.

• Added support to view the number of agent invocations for each agent definition, and to see the token count for each agent definition.

• Added support to define custom external agents using the same palette approach as for cases and processes. The runtime logic for the external agent invocation can be implemented using the ExternalAgentInvoker interface.

• Added polling support to see if an external agent is completed.

• Improved non-transactional execution of an agent task to not block database transactions.

• Introduce a new AI button form element that can be used to invoke an agent model from an (auto-execute) form button.

• Added a new "Trigger intent evaluation" task to the CMMN palette, so that an intent evaluation can be modeled.

• Expose the document classification operation of a document agent.

• Configure content transformation of popular file format when passing them to a LLM.

• Added support for using tenant and app variables in prompts in an agent model.

• Added an AI instruction property to content models to describe the content model type for usage in AI classification and other AI content logic.

• Added support to configure the secret value for AWS Bedrock in an external agent model.

• Added support to remove agent instance data as part of the regular housekeeping logic of case and process instances.

Flowable Work

• Implemented a new design system for the default Work UI and improved navigation patterns. Note that this will only apply if previously the default theme was used. In case a custom theme is used, this will still be used by the Work UI, but due to changes in the navigation patterns and component structure adaptations to the custom theme might be needed.

• Improved the form custom component CLI and support in Design and Work for exporting and importing apps using custom form components, to support using always the lastest deployed version of a custom form component, and to support using the custom component CLI from a CI/CD to always publish the latest state of a custom component project to a Work instance.

• Added an Apache Camel channel option to inbound and outbound channel models to allow to use Camel routes for inbound or outbound events. Since Apache Camel uses different modules for different channel types, the Camel module dependencies of choice should be added to your Work application. Also the Apache Camel Flowable module needs to be present.

• Added support to automatically apply the database changes for a data object model on deployment. This can be configured on the data object changelog model. Because making changes to the database schema can have implications, this feature needs to be explicitly enabled with the flowable.dataobject.auto-update-data-object-schema-definitions=true property.

• Added support for using Microsoft Entra as an IDM. See the installation guide for information on how to configure it.

• Added support to use a SLA model for a case or process, in addition to tasks.

• Improved SLA reaction and completion time for the type day to use full working days instead of translating days to 24 hours. In case the old behaviour is still preferred the flowable.platform.enable-sla-legacy-working-day-behavior=true can be set.

• Fixed issue with case migration with existing sentry part instances on a plan item instance that is terminated.

• Fixed issue with using the change activity state API for multi instance tasks.

• Fixed issue to support attachment fields in outcome forms.

• Introduced new property flowable.http.client.spring-web-client.netty.max-header-size to set a custom max header size (default 8192 bytes) for HTTP and service registry task calls.

• Introduced new properties flowable.http.client.apache5.max-connections (default 500) and flowable.http.client.apache5.max-connections-per-route (default 250) to be able to set a custom maximum amount of connections and a custom maximum amount of connections per route url for the HTTP and service registry task calls.

• Improved support for a case or process starter that should not have permissions on the created instance by adding additional configuration options in the security policy model.

• Added an option in the security policy model to exclude root and parent variables in case the user has no read permission on the root and/or parent instance.

• Added option to execute a DMN decision without storing historic data.

• Added autocomplete support for data object select form components.

• Improved support to cancel a document upload while it is in progress.

• Improved support for a view refresh for action buttons on a page.

• Added a new REST API endpoint to create a new user definition.

• Added support for including the root and parent business status in the case, process and task Elasticsearch indices.

• Changed license user count info in Flowable Control and the system info to better reflect the default license contractual definition of user counts.

• Upgraded to React 19 and upgrade a lot of the FE dependencies to a newer version to ensure React 19 compatibility.

• Removed the legacyDataTable flag. This temporary transition flag from 2025.1.x which allowed time to migrate to the improved data table component is now removed.

Flowable Design

• Added a validation status for all models in an app in the app overview. The validation status for each model is updated when the model is saved. For the initial validation status, an option is provided to validate all models in the app.

• Improved and extended existing validation support in case and process model editors.

• Model validation has been added to the form, service, agent, event, channel, data dictionary, SLA, query and sequence model editors.

• The model validation status is shown when an app is published to indicate if there are known errors and/or warnings.

• Added a new Master Data model editor to allow to define master data directly from Design.

• Added support for an assignment and completion event in the SLA editor to provide more options to configure SLA actions.

• Added support for configuring input variables for the start case and process actions in the SLA editor.

• Added support for using Microsoft Entra to fetch users and groups to for example configure workspace permissions.

• Added support to define correlation parameters for an event registry start event in an event sub process in a process model.

• Added support for defining a LDAP group mapping to match the groups of a user for workspace permissions.

• Added support to limit access to Design to users belonging to a defined list of LDAP groups.

• Improved keyboard support to allow to use ctrl+s or command+s to save a model.

• Improved keyboard support to allow to use the escape key to close a dialog.

• Added a model usage toolbar item to have quick access to information about where the current model is used and which models it uses.

Flowable Control

• Added support to see the business audit trail of a case or process instance.

• Added support to update and delete data object instance.

• Added support to view completed action instances in addition to active action instances.

• Improved rendering of forms in the form instance view to support more form field types.

• Added JSON view for definition types like service, data dictionary, data object, action etc.

• Added information about the user that terminated or ended a case or process instance.

• Added support to view activity, plan item and user index data in Control.

Flowable Helm Chart

• Removed third party chart dependencies to PostgreSQL, Elasticsearch and ActiveMQ. These services have to be provided externally now.

• Updated the security context configuration to use the flowable uid/gid used by the Flowable Docker images. The uid of the flowable user was 100 before and is now 10001. The gid of the flowable group was 101 before and is now 10001.

• The default log file location, if logging: true is set, has changed from log/app.log to /logs/app.log as /app is now set as WORKDIR and therefore readonly base directory by the Flowable image.

Upgrade information

• Flowable requires a Jakarta EE version 11+ compliant web container, due to the upgrade to Spring Boot 4. For Tomcat this means at minimum Tomcat version 11.

Work Upgrade information

• Spring Security 7 removed the AntPathRequestMatcher. This means custom security configurations that use AntPathRequestMatcher will need to be updated. The following changes should be considered:

  • antMatcher("/analytics-api/" - This can be fully removed since the permissions check is now done directly in our implementation.

  • The different antMatcher with permitAll for HTTP basic authentication for static resources such as /, /**/*.svg, /**/*.ico, /**/*.png, /**/*.woff2, /**/*.css, /**/flowable-frontend-configuration, /**/index.html can be replaced with PlatformPathRequest.toStaticResources().atCommonLocations().

  • The antMatcher("favicon.ico") with permitAll for OAuth2 authentication can be replaced with PlatformPathRequest.toStaticResources().at(PlatformStaticResourceLocation.FAVICON).

  • More matchers are available in the PlatformPathRequest and EngagePathRequest classes.

• The exclusion of the FreeMarkerAutoConfiguration auto-configuration on the main SpringBootApplication annotated class is no longer necessary because of the modularization of the Spring Boot 4.x auto-configuration. The exclusion can therefore be removed.

• The Flowable REST API dispatchers are no longer picking up REST Controllers from the root application context. If you were using /xxx-api/actuator or /xxx-api/custom-endpoint then those are no longer going to be available in the /xxx-api location. You'll have to access them directly through /actuator or /custom-endpoint.

• The new Flowable Work UI theme is added under the name "Default theme" (and is also the fallback if no theme preference is set for the user). Please note that when flowable.platform.default-theme.force-ovewrite=false is set and the theme with key "Default theme" is being overwritten, users with the theme preference set to "Default theme" will not have access to newly added theme, but to the customised theme that overwrites it.

• Elasticsearch has a new Low-Level REST Client using Apache HTTP Client 5. With Spring Boot 4 only that client is being autoconfigured. This means that if you were customizing it, you'll need to use the Rest5ClientBuilderCustomizer. Additionally, the Elasticsearch Sniffer is now automatically there, but Flowable is disabling using spring.elasticsearch.restclient.sniffer.enabled, if you need to use that, then you'll need to set that property explicitly to true.

• The com.flowable.autoconfigure.security.FlowableHttpSecurityCustomizer#customize no longer throws an exception. If you have an implementation of that, you'll need to remove the throws Exception from it

• Spring AI 1.1 (the version used in this release) is not yet compatible with Spring Boot 4 and Spring 7. The planning is to move to Spring AI 2.0 when it's available, as this release will be compatible with Spring Boot 4 and Spring 7. For now when you want to use Anthropic, OpenAI or Azure OpenAI, make sure to add the following dependencies, instead of the spring-ai-starter-model-anthropic or spring-ai-starter-model-openai Spring AI starters:

  • Anthropic

  <dependency>
      <groupId>com.flowable.platform</groupId>
      <artifactId>flowable-vendor-spring-ai-starter-model-anthropic</artifactId>
  </dependency>
  • OpenAI

  <dependency>
      <groupId>com.flowable.platform</groupId>
      <artifactId>flowable-vendor-spring-ai-starter-model-openai</artifactId>
  </dependency>
  • Azure OpenAI - Use the Flowable OpenAI starter and configuring it according to use Azure OpenAI as the underlying AI service

  These dependencies will be available until Spring AI releases 2.0, which would be compatible with Spring Boot 4 and Spring 7, and we are going to use those.

Design Upgrade information

• Spring Security 7 removed the AntPathRequestMatcher. This means custom security configurations that use AntPathRequestMatcher will need to be updated. The following changes should be considered:

  • The different antMatcher with permitAll for HTTP basic authentication for static resources such as /, /**/*.svg, /**/*.ico, /**/*.png, /**/*.woff2, /**/*.css, /**/flowable-frontend-configuration, /**/index.html can be replaced with DesignPathRequest.toStaticResources().atCommonLocations().

  • The antMatcher("favicon.ico") with permitAll for OAuth2 authentication can be replaced with DesignPathRequest.toStaticResources().at(DesignStaticResourceLocation.FAVICON).

• The Flowable Design REST API dispatchers are no longer picking up REST Controllers from the root application context. If you were using /design-api/actuator or /design-api/custom-endpoint then those are no longer going to be available in the /design-api location. You'll have to access them directly through /actuator or /custom-endpoint.

• The com.flowable.autoconfigure.design.security.DesignHttpSecurityCustomizer#customize no longer throws an exception. If you have an implementation of that, you'll need to remove the throws Exception from it

• Spring AI 1.1 (the version used in this release) is not yet compatible with Spring Boot 4 and Spring 7. The planning is to move to Spring AI 2.0 when it's available, as this release will be compatible with Spring Boot 4 and Spring 7. For now when you want to use Anthropic, OpenAI or Azure OpenAI, make sure to add the following dependencies, instead of the spring-ai-starter-model-anthropic or spring-ai-starter-model-openai Spring AI starters:

  • Anthropic

  <dependency>
      <groupId>com.flowable.platform</groupId>
      <artifactId>flowable-vendor-spring-ai-starter-model-anthropic</artifactId>
  </dependency>
  • OpenAI

  <dependency>
      <groupId>com.flowable.platform</groupId>
      <artifactId>flowable-vendor-spring-ai-starter-model-openai</artifactId>
  </dependency>
  • Azure OpenAI - Use the Flowable OpenAI starter and configuring it according to use Azure OpenAI as the underlying AI service

  These dependencies will be available until Spring AI releases 2.0, which would be compatible with Spring Boot 4 and Spring 7, and we are going to use those.

Engage Upgrade information

• Spring Security 7 removed AbstractSecurityWebSocketMessageBrokerConfigurer which was used to configure the security for the WebSocket endpoints. The new approach would be to use @EnableWebSocketSecurity on the configuration class and the web socket security configuration should look something like:

@Configuration(proxyBeanMethods = false)
@EnableWebSocketSecurity
public class WebSocketSecurityConfiguration {

    @Bean
    public AuthorizationManager<Message<?>> webSocketAuthorizationManager(MessageMatcherDelegatingAuthorizationManager.Builder messages,
            WebSocketMessageBrokerProperties brokerProperties) {
        // In case there are destination prefixes deny all of them as they are forwarded to the broker
        String[] destinationPrefixes = brokerProperties.getDestinationPrefixes();
        if (destinationPrefixes != null) {
            for (String destinationPrefix : destinationPrefixes) {
                messages.simpMessageDestMatchers(destinationPrefix + "/**").denyAll();
            }
        }
        messages.anyMessage().authenticated();
        return messages.build();
    }

    @Bean
    public ChannelInterceptor csrfChannelInterceptor(FlowablePlatformSecurityProperties flowableSecurityProperties) {
        if (flowableSecurityProperties.getRest().getCsrf().isEnabled()) {
            return new CsrfChannelInterceptor();
        }
        return new ChannelInterceptor() {

        };
    }
}

Flowable Helm Chart

• For migrating PostgreSQL and Elasticsearch data to external services please refer to the Flowable Helm Chart documentation for upgrade instructions to 2025.2.x:

Spring Boot

• Flowable has been upgraded to Spring Boot 4.

• Note that the upgrade to Spring Boot 4 has several breaking changes which are mentioned in the upgrade information above. Additionally, there is more information in the Spring Boot 4 release notes and migration guide

Pentest report

• A new pentest has been performed on Flowable Work and Flowable Design and the results are available via your Flowable account manager or contact person.

AI Studio Database changes

• Added columns NAME_ and CALLBACK_SCOPE_ID_ to the FLW_AGENT_INSTANCE table.

• Added new index on column CALLBACK_SCOPE_ID_ of table FLW_AGENT_INSTANCE with name IDX_FLW_AGT_INS_CALLB_SCOPE_ID.

• Added columns NAME_ and CALLBACK_SCOPE_ID_ to the FLW_HI_AGENT_INSTANCE table.

• Added new index on column CALLBACK_SCOPE_ID_ of table FLW_HI_AGENT_INSTANCE with name IDX_FLW_HI_AGT_INS_CALL_SCP_ID.

• Added a new table FLW_HI_AGENT_INVOCATION to store the agent invocation information.

• Added a new table FLW_HI_AGENT_INVOCATION_EXCH to store the exchange information of the agent invocation.

• Added a new table FLW_HI_AGENT_INVOC_EXCH_PART to store the request and response information of an agent invocation exchange.

• The data from existing tables FLW_AGENT_INSTANCE_EXCHANGE and FLW_HI_AGENT_INSTANCE_EXCHANGE is copied to the new FLW_HI_AGENT_INVOCATION, FLW_HI_AGENT_INVOCATION_EXCH, FLW_HI_AGENT_INVOC_EXCH_PART tables. Note that this is happening with Java logic and when running the upgrade sql files manually this will not be executed. It will only be executed when using the default upgrade logic executed by Flowable automatically.

• The FLW_AGENT_INSTANCE_EXCHANGE table is dropped.

• The FLW_HI_AGENT_INSTANCE_EXCHANGE table is dropped.

Work Database changes

• Added new index on column GROUP_ID_REF_ of table FLW_IDENTITY_INFO with name FLW_IDX_IDM_INFO_GROUP_ID_REF.

• Change column type of ID_ of the FLW_ID_GROUP table to support an identifier value of 255 characters instead of 64.

• Change column type of GROUP_ID_ of the FLW_ID_MEMBERSHIP table to support an identifier value of 255 characters instead of 64.

Design Database changes

• Added column validation_status_ to the ACT_DE_MODEL table.

• Added columns APP_KEY_ and WORKSPACE_KEY_ to the FLW_DE_CUSTOM_COMP_PROJECT table.

Control Database changes

• Change column type of PASSWORD_ of the FLW_CTRL_SERVER_CONFIG table to support a value of 2000 characters instead of 100.

• Change column type of PASSWORD_ of the FLW_CTRL_CLUSTER_CONFIG table to support a value of 2000 characters instead of 100.

Open Source Artifacts Dependency Compatibility

Releases of Flowable Design, Work and Engage use versions of the open source Flowable dependencies that have not yet been published publicly on the Maven Central repository. These 'bugfix releases' can be retrieved by customers using the customer Flowable Maven repository credentials.

These versions contain fixes and have been QA'ed with the 2025.2.01 release. It's advised to upgrade your open source dependencies to the 'compatible' version mentioned below (and mentioned in the subsequent Service Packs section)

Open source dependency version: 8.0.0.6

Service Packs