DXP Releases for 2026

Dependencies have been upgraded to address security issues, ensuring a safer and more reliable system.

Headers disallowing caching had already been set when a query string parameter was present in the URL.

When the Redirect URLs with Trailing Slash system configuration was activated, if a query string were present in the URL, the redirect would be served with headers instructing upstream caches not to cache the result. This header instruction resulted in requests being unnecessarily forwarded to the CMS.

The cacheability headers were unset and explicitly reset to appropriate values by the CMS when performing the redirect from URLs containing a trailing slash.

CMS now sends appropriate cachability headers when redirecting from a trailing slash, and a query string is present

The wrong asset was being matched for an event that retrieved keywords.

This mismatch prevented keywords from displaying on the Format Bodycopy contents screen under a Custom Form.

The event listening logic now directly checks for this scenario and delegates correctly.

Keywords on the content screen now list correctly for Format Bodycopy assets under Custom Forms.

The PHP end() function returned false if run on an empty array.

When no results were present, search pages with custom grouping could produce a fatal TypeError on some platform versions.

The code path for custom grouping was updated to avoid calling end() when there were no results.

All platform versions will now correctly show the no results page when custom grouping is enabled.

When the option to use UUIDs instead of asset IDs for linking to assets directly was introduced, the image preview code was not changed.

If the URLs containing ?a= will return a 404 system setting was enabled, then the preview for an image on the details screen showed a broken image due to a 404 Not Found error.

The preview URL for images was updated to use the external-uuid link.

Image previews now appear normally, regardless of whether the URLs containing ?a= will return a 404 system setting is active.

To ensure compatibility with platform versions, the ^increment and ^decrement keyword modifiers no longer have any effect on strings that are not entirely numeric.

For example, a value of "mach 1" would previously have been modified by ^increment to output "mach 2". And a value of "aa" would have become "ab".

These types of transformations no longer occur, and they will be output unchanged as "mach 1" or "aa".

Wholely numeric values, such as "5432" or "-26", will still be incremented or decremented normally by the keyword modifiers.

Thesaurus filters on Asset Listing Pages treat all related links to thesaurus terms as filter weights, and newer platform versions change the behaviour of arithmetic operations on non-numeric strings to be fatal.

Thesaurus filters on Asset Listing Pages would often cause a fatal error on newer platform versions.

The fix implemented ignores non-numeric strings when performing arithmetic operations for Thesaurus filters.

Thesaurus filters on Asset Listing Pages now work correctly regardless of the link values in the system.

Changes to allow Matrix to use the fastest database in the backend exposed an issue where transactions were being started on the read-only database. A warning was added to help identify any cases that were missing from the test suite.

A small number of these human-readable diagnostic warnings were subsequently shown to users.

The incorrect transactions have been removed, and the warnings will stop showing to users. Squiz Content Management can reliably use a faster DB in the backend.

Squiz Content Management was unable to cache asset URLs within DejaVu, so whenever URLs were used, a Database lookup was required, even if the asset was already cached in DejaVu.

To attempt to fix this problem, Squiz Content Management was updated to cache asset URL information within DejaVu alongside the rest of the asset details.

However, this change to the product resulted in an unplanned regression and had to be removed in this hotfix version.

Provide layout ID and display layout and component information more consistently.

Layout ID available from the information form, and improved consistency between page builder and Squiz DXP layout/component information.

Clearing block validation warnings, missing checks for locked layout zones, or containing locked layout zones.

Incorrect block validation warnings are displayed when saving a template.

Updated clear validation warning logic to evaluate whether a zone is a locked layout or contains one.

Unlocking top-level zones and locked layouts results in the correct clearing of block validation warnings.

When a Content Template is imported with the XML tool, it does not sync correctly with the template service.

There is a visible error in the import HIPO job, and then an error when visiting the content screen of any Content templates after import.

Template name sync no longer occurs on import, and a template record is created for the newly imported Content Template asset.

No errors are displayed in the import HIPO job, and the newly imported Content Template can be edited from an empty state.

When a layout zone was set as a primary zone on a templated page, it wasn’t getting reset when that layout was deleted from the page.

Template service validation failed if a user tried to save the page.

The fix clears the primary zone to null if a layout primary zone was deleted.

The page now saves when a layout that had a zone set as primary no longer exists on the page.

When a templated Content Page had a template applied, resulting in unused content, continuously swapping back and forth between the original and new template corrupted the state of the content page. Content page editing is unusable until the page is reloaded.

Better data conversions were implemented to handle continuous transformations.

Content page editing remains usable after switching between two templates in a single session.

A link to Squiz DXP logs was available for Content Page assets, but was missing for Content Template assets.

With this minor improvement, users can now navigate from Content Template asset logs to DXP logs and view logged events for that asset.

Previously, when the chatbot provided a generic fallback response (for example, "I’m sorry, I couldn’t find an answer"), this interaction was successfully shown to the user in the chat window but was not saved to the permanent history log.

The system now correctly records all response types, ensuring your conversation history accurately reflects the full dialogue.

Previously, the X-Forwarded-For edit plugin did not have a dedicated mode to isolate only the final IP address in a forwarded chain. This made it difficult to handle specific network configurations where the last hop was the required identifier.

The plugin now includes a KeepLast configuration mode. When enabled, the plugin strips all other IP addresses from the X-Forwarded-For header, retaining only the last one.

This update ensures more accurate IP detection for search usage analytics, Curator, and IP-based access restrictions in complex proxy environments.

Archive extraction with data sets large enough to split over multiple unzip processes could trigger duplicate folder creation if files in those folders were split over multiple unzip processes.

As a result, duplicate folders could appear in the frontend DXP Console File Store browser causing visual confusion. While File Store still unzipped the archives correctly, the duplicate folders could cause visual confusion for users.

The fix adds additional checks to ensure duplicate folders are not created under these conditions.

The course material has been updated to support the current layout development capabilities, which include the switch to the manifest.json configuration file format.

This information brings this part of the course up to current configuration recommendations.

Enroll now through Squiz Academy.

The generic messages shown to users when uploading schema changes are now replaced with more helpful messaging.

This minor improvement to error message communication may help users identify and fix issues with their schemas more readily.

Read Schema upload errors in the Single Customer View section of the Customer Data Platform docs.

If the binoculars needed to switch trees to find an asset, because it is not found underneath the current one’s restricted root node, the current selection was then cleared on the original (and thus incorrect) asset tree.

Multiple assets could end up selected, on the newly shown asset tree, when using the binoculars.

The asset selection clearing was made consistent with other selection clearing code.

Only the asset located by the binoculars will be selected.

Duplicate form submissions could occur if the same POST request were made multiple times and other protections did not prevent it.

With the Form submission token validation feature flag enabled, a Form Submission Token Validation to Prevent Duplicate Submissions setting becomes available on the Content screen of Custom Forms assets. When this option is enabled, a token is added to the custom form and tracked on the server to ensure that a submission is processed only once.

An issue is known where file attachments may still be processed in duplicate submissions, even though an error apperas for the attachment. This known issue will be fixed before the full release of the feature and removal of the feature flag.

Certain platform upgrades could cause breaks in how htmlspecialchars and htmlentities work, potentially breaking the encoding of special characters and entities.

The fix adds a feature flag that allows preserving the old behaviour. Upgrading systems in this way will no longer cause encoding to break.

Squiz Content Management has been unable to control cache times for __data, resulting in some files remaining in cache longer than necessary.

If the Serve __data from Matrix is enabled, Matrix will now directly serve file assets with __data URLs.

The administration interface references to virus scanning have been removed.

The way Squiz Content Management scanned files for potential malware did not scale up in the Squiz DXP environment. It also should not be possible to turn this feature on and off because the legacy virus scanning system was not implemented.

Squiz is reassessing how best to perform malware scanning of files in the Squiz DXP environment and which interface is required to support this function.

The zone ID was stored as a zone name for some unused content zones, including parent and missing block zones. In some unused content scenario conditions, the zone ID was displayed instead of the zone name.

The fix looks up the zone name, if available, instead of the zone ID for unused content zones. This change means that zone names take precedence over zone IDs in the Page Builder Layouts UI.

The message string "A layout update has removed this entire zone" now appears for page-managed content on a templated page. This message string replaces the longer string "A layout update has removed this entire zone. This content will continue to re-appear here until it is handled in the template."

Two strings could appear in unused content as a result of deploying a new version of the layout that had zones changed or removed. The wrong message was displaying incorrectly in page-managed content on a templated page, and this fix improves the messaging in this area of the UI.

An adjustment was made to layouts when content was moved to Unused content during a layout update. Any parent layouts that a layout is nested in will now appear as a structural placeholder in Unused Content, so the content editor knows where the layout came from.

When emptied, these parent layouts were not automatically removed, and there was no way to remove them other than clicking the checkbox to clear Unused Content entirely. Now, any partially affected layouts in Unused Content will disappear when emptied.

Unused content reasons due to layout zone changes now cascade to any nested layouts affected by them.

Before this improvement, if unused content appeared after deploying a different version of a layout, unused content reasons would appear on the top-level layout, but not on nested affected layouts.

Fixed missing mapper passthrough on retry from the previous step, improving retry reliability.

This ensures the message retry behavior includes mapper passthrough.

When a contract owner removes a user who was the only member of a developer team, ownership now automatically transfers to the first contract owner.

This fix prevents orphaned teams when the sole member is removed.

Initial component release.

Initial component release.

A new eLearning course for Site Builders is available that provides foundational learning to support customers who are using or want to use the recently released content templates feature.

Read the January 2026 new features to learn more.

A new learning plan for Site Builders brings together three learning materials on content template design fundamentals.

Read the January 2026 new features to learn more.

The ELV25-009, ELV25-010, ELV25-011, and ELV25-012 video eLearning courses are now available in Squiz Academy.

Read the January 2026 new features to learn more.

A Force XML plugin is available in Squiz Search to work around issues with non-conformant XML source files.

Read the January 2026 new features to learn more.

Zones in the page outline (and unused content) now appear in the order defined in manifest.json

Read the January 2026 new features to learn more.

A recent product improvement to the way manifest files in templates are structured using JSON is now reflected in the Component Service documentation.

Read the January 2026 new features to learn more.

Read the February 2026 new features to learn more.

For a tenant with custom roles enabled and a single Search instance when non-owners logged in non of there custom roles were being used.

When logging in a user the code changed there user record type and roles to only include the clients primary role. Consequence:

The code has been adjusted to ensure the user record is not changed when a user logs in.

The useer has the roles assigned to them to complete required Search tasks.

The segment sets feature allows administrators and site builders to scope Personalization segment sets based on their required availability across sites.

The documentation required to understand this feature was updated to reflect the support for segment sets in Squiz Content Management.

Read the Segment scoping documentation to learn more.

Added: Send event on non-push data source update stop. Changed: Send event after successful view swap for non-push data sources as a post swap step instead of during the index phase. Send event after successful commit for push data sources as a post commit step instead of during the index phase.

An incorrect name for the page parameter was used when creating page navigation links.

Page navigation links contained multiple incorrect parameters for page numbers, and the wrong page was loaded.

Page parameter name is fixed when generating URL links, so the parameter is properly cleared and set to the correct page number.

Page navigation links now only contain a single page parameter with the correct value.

preg_replace works with URLs that include query params. Some replacement patterns preserve query params in the output, then the code appends them again, causing duplicates.

Query parameters are duplicated in redirect URLs when remap rules have "Preserve query string in remaps" enabled. For example, /example?foo=bar redirects to /example2?foo=bar?foo=bar instead of /example2?foo=bar.

The fix extracts query params before regular expression replacement, strips them from the URL, then merges the query parameters back by using getRemapUrlWithQueryString(), which handles the existing ? correctly.

Query parameters are preserved exactly once in redirect URLs.

A value used in Workflows was not being correctly type-checked, which caused a PHP fatal error in certain circumstances.

The value causing the fatal error now has correct type checking in place.

The ability to preserve legacy handling of HTML entities and special character encodings was added in 6.80.0 as described in the January 2026 errata.

It was discovered that this feature change could not accept null values from other parts of the codebase. Fatal errors were generated (including visible errors on the frontend interface) when certain variables or keyword modifiers are used.

The fix combines Null values into an empty string before handling.

The original fatal errors no longer occur, and null values are treated as empty strings.

Squiz Content Management was unable to cache asset URLs in DejaVu, so whenever URLs were used, a Database lookup was required even if the asset was already cached in DejaVu.

Squiz Content Management will now cache asset URL information in DejaVu alongside the rest of the Asset details, reducing database queries and improving page render times for pages with many URL lookups.

Squiz Content Management was unable to cache asset permissions or major links (Type 1/2) within DejaVu, so any requests had to go to the database to fetch those details.

Squiz Content Management will now cache asset permissions & major links (Type 1/2) in DejaVu alongside the rest of the asset details, reducing database queries and improving page render times for pages with many URL lookups.

The "missing zone" reason is attributed to top-level zones changing from page-managed to locked.

An incorrect zone reason was displayed for template-locked top-level zones in unused content.

Detect when the page managed zone specifically changed to template-locked and assign the correct reason.

The correct locked zone reason appears when the page zone is changed to template-locked.

Unused content zones could sometimes appear in a random order and not align with the zone order in the template/page.

Zones in unused content appear in the order they are on the page/template, with any deleted zones appearing at the top.

Each code sample in the Data Services documentation now shows the configuration file it is associated with.

This additional prescriptiveness will help readers clearly identify which persistent file any given code sample is from.

Mentions of server components and server-based static file support documentation are now unavailable in the Component Service documentation.

Read the February 2026 enablement updates section to learn more.

A bug was discovered where the date filter plugin threw an error when the Facebook Data Source returned a page type other than POST or EVENT.

The plugin was updated to process page types other than POST or EVENT.

This plugin was changed to allow reading the last x-forwarded-for IP address from the access_restriction.prefer_x_forwarded_for parameter.

This change lets the plugin retain the last IP address if the option is set. This behavior is required by Content Management and Squiz Search to properly track the locations of users who request searches through Content Management.

Documentation required updates that reflected the behavior of search user accounts in Squiz DXP.

Added notes on search user account behavior when DXP users are turned off or re-enabled.

Read Squiz DXP Console Search Custom Roles documentation for more information.

The documentation lacked operational nuances and exhaustive technical restrictions relevant to custom roles in Squiz DXP.

Consolidated all technical guardrails, operational behaviors, and best practices into the public documentation.

Read Search Custom Roles documentation for more information.

The Datastore documentation feature page for JavaScript SDK did not contain links to the SDK.

Improved the aggregation feature page to clearly link to the JavaScript SDK usage page, which now contains links to the SDK itself.

Read Datastore Aggregation documentation for more information.

Read the February 2026 new features to learn more.

Read the February 2026 new features to learn more.

Read the February 2026 new features to learn more.

Read the February 2026 new features to learn more.

Validation rules for dropdown and list fields (Select, Option List, Checkbox List, and Checkbox table) were previously available regardless of whether the field allowed single or multiple selections. That lets users add rules that don’t apply (for example, "Selection Limit" on a single-select field), which could cause errors or confusing behaviour. This improvement restricts the rules offered and applied. Hence, they match the field type: single-select fields show rules that apply to a single value, and multi-select fields show rules that apply to multiple values.

When you add or edit validation rules on a Select, Option List, Checkbox List, or Checkbox Table form field, you will only see rules that are valid for that field. Single-select fields (for example, Select with "Multiple?" off, Option List) show rules such as Length, Email, and Text Contains. Multi-select fields (for example, Select with "Multiple?" on, Checkbox List, and Checkbox Table) show Selection Limit, Selection, and Text Contains.

If you change a Select field from single to multiple (or the reverse), rules that no longer apply are hidden until you switch back; they are not deleted.

Select fields allow select limit rules set to greater than 1 even when set to single select because single select fields require a selection (more than zero). While the server-side code has been updated to treat selection limits greater than 1 as if they were 1, the client-side code has not been updated to support this treatment.

If a single select field has a selection limit set greater than 1, it will never pass client-side validation.

To work around the issue, set the selection limit of single select fields to 1, or remove the rule and mark the field as required. Single select fields can then be filled out in a way that satisfies client-side validation rules.

A regex expecting a string could be passed an array value, which resulted in a fatal error in some cases.

The value is now checked and handled correctly before the regex check.

When merging multiple preference sets with common keys, the code did not preserve the keys that were not common to both preferences. This condition caused some user preferences to be lost during the merge process.

The fix preserves keys that are present in only one of the preference sets during merging. Now users will not lose their preferences, even when they have sets of preferences that share only some keys.

A fatal error (ArgumentCountError) occurred when trying to cascade metadata to assets that could not acquire the lock, causing the UI to stop responding with a loading spinner and returning a 500 error. Incorrect parenthesis placement in the translate() call caused sprintf() to receive the wrong number of arguments because the "metadata" argument was incorrectly placed in translate() instead of sprintf().

Several fixes were necessary to correct this behavior:

The HIPO job now shows a warning message instead of causing a fatal error, allowing users to continue using the page when metadata locks cannot be acquired.

The asset tree was filtering invalid links from the child link count against sq_ast on every load, even though the data was not used anywhere critical, and any corruption is repaired regularly in the DXP.

The data could only be displayed completely if %asset_num_kids% was used in Asset display name.

The asset tree no longer filters out invalid links on each request; instead, it relies on the link table having valid data. In extreme cases, displaying a child asset with ~700k direct children is expected to reduce the ~4.5s asset tree request to ~0.7s.

A content page can be included in a design’s nested content customization. When the "Cache Globally?" option is set, the HTML markup is cached across domains, which causes issues when the cached markup is resolved to page content across origins.

When the markup was cached on domain A, users on domain B who used that cached content would see a "message": "Router: Missing tenant config header" in place of the page content.

The fix changes the markup produced when rendering a content page to allow correct resolution across multiple origins. Users no longer see the missing tenant config header error for content pages in design customizations that are cached globally.

When the default block was hidden, the personalized block action menu in Page Builder displayed an unavailable 'Add Items' menu for active segments without variants.

The fix ensures the personalized block action menu only shows the Add text, Add component, and Add layout menu options when they are available to use.

The dxp_content_template_id attribute was intentionally not set during asset cloning. It was discovered that the template selector relied on this missing attribute to populate the available templates array. Without the attribute present, there was no relationship to the cloned template ID.

The fix to the content page cloning method now sets the dxp_content_template_id attribute to the original templateId. This change populates the available templates array and the template selector is correctly populated when a templated content page is cloned.

It was discovered that the missingBlock reason was incorrectly assigned in unused content for page blocks that were moved into template-locked page zones.

When the page zone changed to a template-locked zone, then the content was deleted, the template incorrectly showed the missingBlock reason rather than the lockedZone reason.

The fix now shows only the lockedZone reason for zones that change from page-locked to template-locked, and correctly tracks content moving between these zones.

Default values were set to NULL to prevent fall back to the default value if a user intentionally cleared the value.

In a template-locked zone, this behavior meant users could not save an empty "default but not required" value. For required fields on a templated page in unlocked zones, this behavior caused validation issues.

The fix ensures that empty default values are set to an empty string when validation can be skipped. For example, a required field in a template-unlocked zone.

When a user acquired locks, opened the Edit panel, then released the locks, the active block was not cleared from window.pbSelection. At the same time, the page was active and the edit panel was open. This problem caused the active block to persist in the edit panel at times.

The fix clears the window.pbSelection.activeBlock information when the page is active in setActiveBlock(), which allows the block to be correctly forgotten and the UI to show the correct state.

Security improvements address dependency vulnerabilities.

This plugin was changed to support prefix mode, so the plugin can facilitate search-based auto-completion when the partial query is sent without a trailing *.

When Prefix mode is enabled, wildcard characters in the query are ignored, and expansion is applied to the end of the entire query (e.g. abc def behaves as abc def*).

Unnecessary requests were initiated when trying to Edit and render the content screen.

The unnecessary requests have been removed, and acquiring locks on the content screen is now faster.

Squiz Content Management JavaScript code assumed that it was the only thing to set the window.opener DOM property.

When the admin interface was opened through a JavaScript link by using window.open(), without sending the noopener argument, some features did not work reliably.

The fix ensures that when the main admin interface code is set, window.opener is reset to null if it is set.

The admin interface now works the same regardless of how the property is called.

It was discovered that external-uuid query parameters were not processed correctly by the system in custom edit layouts.

Assets linked from the Content Management backend would not render correctly if they lacked a URL.

The system now checks for external-uuid query parameters in the backend, which makes the content of assets without URLs load correctly.

A rule to check total selections was not included when validating the Custom form option list field.

The lack of total selections validation caused the "Required entry" validation to allow form submissions when no option was selected from the options list.

The rule to check total selections was updated to include validating the Custom form option list field lists, preventing this condition from being ignored.

Component boolean properties with default values were incorrectly treated as empty strings or null values when set to false.

Pages and templates (with components in locked zones) could not be saved when component boolean properties with defaults were unchecked.

Component boolean properties with defaults are correctly treated as false if unchecked.

Pages and templates with components that have boolean properties with default values unchecked are now correctly treated as false and can be saved.

The course material has been updated to support the current layout development capabilities, which includes layout properties and helpers.

This information brings this part of the course up to current configuration recommendations. Enroll now by visiting Squiz Academy.

The course material has been updated to support the current layout features, which include layout properties.

Enroll now by visiting Squiz Academy.

The asset types allowed to be linked to content pages for modern asset management screens did not include the content page asset types. Content pages could not be selected as a parent location in the asset picker on the modern asset linking screen for another content page.

The content page was added to the list of asset types allowed to be linked to content pages. Other content pages can now be selected as parent locations for content pages from the linking screen.

A failed regular expression was not being checked or handled. In scenarios involving very large data sets, this could cause Server-side JavaScript (SSJS) to be treated as front-end JavaScript.

The regular expression result is now always checked and handled if it fails. SSJS will no longer be executed as frontend JS in this way.

Non-numeric values were being used in addition, which caused a fatal error and prevented the morphing of a select input into a checkbox list input (under a Custom Form).

The value is now checked for numeric validity before the addition attempt, with a sensible fallback option. The morphing of a select input into a checkbox list under a custom form now works as intended.

Logic that handles /data path redirects wasn’t checking for remaps, as well as missing logic to handle when the path is instead /data_direct. This logic error could cause redirections (setup in the Remap Manager) from the /__data path to fail with a 404.

Both /data & /data_direct are now checked during the redirection logic. Remaps from /__data paths setup in the Remap Manager will now work as intended.

If the applied template has been updated (for example, by adding or reordering content), these changes are automatically applied to the page the next time it is loaded in Page Builder. However, they need to be saved to take effect in the frontend.

Before this change, a content editor would need to make a separate manual change to the page content before the Save action is enabled, meaning they could not easily propagate these automatically applied template changes to the frontend.

If the applied template is updated, a content editor can now easily apply these changes to their page by loading it and clicking Save, without having to make any other edits.

In the template selector, a brief error was displayed, followed by a different error once the applied template finished loading.

For example, a templated page with a broken, purged template would display the purged message before the broken message.

A spinner appears in the template selector, and no template alert message is shown until the applied template finishes loading.

Adding a layout to a page was not detected as a change. Therefore, the template selector was not deactivate correctly.

You were able to add, remove, or change a template in this state, which would confuse when your newly added layout was lost.

Newly added layouts are now detected as a genuine page change. When newly added layouts are added to a page, a template cannot be added, changed, or removed until the page is saved.

Those implementing components want better traceability from an uploaded component version in the Squiz DXP Console back to the code that created it, including who created it and when.

When uploading a component version with the dxp-next command-line, developers can add the --version-tag option and specify a custom string to aid traceability back to the source of the change. This string can be any text, but a recommended use is a commit ID or a commit URL. The tag you specify is shown on the component page in the Squiz DXP Console.

The DXP CLI and Simulator defaulted to 0.0.0.0, which was incompatible with Windows environments and contradicts the official documentation. This resulted in "connection refused" errors for Windows users and general confusion regarding the correct URL to use for local development.

Users had to manually substitute 0.0.0.0 with localhost in their browser’s address bar to successfully access the Simulator and follow the tutorial steps.

The change from 0.0.0.0 to localhost ensures a seamless, cross-platform experience that aligns with public tutorials and technical documentation.

Security improvements address dependency vulnerabilities.

Developer guidance for generating JWTs as Bearer Tokens was improved, facilitating easier integration and reducing confusion regarding terminology.

Read Bearer Token docs for more information.

Added a React Error Boundary to catch uncaught rendering errors breaking the UI without a controlled fallback in the front-end.

Updated the email body for the workspace-invite-new-user template to clearer, user-friendly copy to improve clarity and tone for workspace invitations.

Fixed displayed times appearing in the wrong time zone on the Flow Designer Settings tab.

Authenticating with SSO after opening a recipe link while logged out could leave the recipe page unloaded.

Fixed failure to load the recipe page after authenticating opening a recipe link while logged out and signing in with Google.

Fixed platform service sometimes failing to create a messageId for a queued message, which caused the flow error-handler to fail and the step to stick.

Deleted user references could cause the Flow Versions page to fail to load.

Fixed the Flow Versions page failing to load or displaying incorrectly when a version was associated with a deleted user.

Initial component release.

Initial component release.

Initial component release.

Added strong-soap v5.0.7 library support.

Added strong-soap v5.0.7 library support.

Beautify JSON files option added to Create Commit action and improved test suite for Create Commit action and edge cases.

Removed unused node dependency plus these changes and improved README information.

Removed node and amqplib dependencies and improved README information.

Improved End Time boundary logic in Get New and Updated Objects Polling Trigger.

Fixed GraphQL InlineFragment handling in Additional fields configuration field.

Removed unused node dependency plus these changes.

Now waits for connection before sending ack/nack.

Read the March 2026 new features to learn more.

Read the March 2026 new features to learn more.

Documented new array comparison operators (@>, !@>, ~@>, !~@>, <@, !<@, <@~, !<@~) and provided practical usage examples. This improves technical guidance for developers implementing granular security rules on Datastore collections and documents.

Read the comparison operators and blueprint examples for more information.

Reason: Introduce a monthly limit on emitted data items (records and errors) from flow steps and expose the usage limits in APIs so teams can avoid unexpected overages.

Result: - v2/quotas/usages and v2/quotas/limits now include per_contract_message_count_limit and per_workspace_message_count_limit. - Quota checks run when starting a flow (Start) and when running a flow manually (Run Now). - If the quota is exceeded, launching the flow is blocked. - Email when usage reaches 80% and 100% with the vendor notification text for contract/workspace message count. - Note: when the quota is exceeded, all flows in the contract may be suspended; they can be resumed by Elastic.io Support after a resource limit increase request.

Read the March 2026 new features to learn more.

Read the March 2026 new features to learn more.

Read the March 2026 new features to learn more.

If more than 250 remap rules were created, they caused up to 1000 post variables to be sent on save. This volume of post variables exceeded PHP’s max post vars limit of 1000.

Rule posting has been refactored to fix this limitation through pagination, which means remap rules can now be saved in the remap manager.

When Matrix was migrated from version 5.5 to version 6, Bootstrap and the Reset CSS framework were used to build the user interface.

In the WYSIWYG backend, the interface table caption is rendered below the table.

A CSS style fix was added to move the table caption to its original position before the WYSIWYG table.

Now Content Editors see the table caption before the WYSIWYG table in the backend.

A deprecation flag has been added to prefer the restricted (non-data) paths to start the transition away from generally using data for files.

Files have historically preferred the unrestricted (__data) paths due to performance concerns that are no longer relevant. This preference causes confusion and extra load as statuses change and files move in and out of __data.

In the template builder UI, the resource browser ensures that only valid Content Page assets can be chosen as the reference page for template preview. These same restrictions were also needed for the Asset Management API so that users did not end up with an invalid reference page.

API users now receive a 400 Bad Request response if they have provided an invalid value for the referencePage in the body of their POST/PATCH request for a Content Template asset.

For status transitions of content template assets, the sync with the template service occurred before the asset status succeeded or failed to change to an updated status.

There were a few edge cases where the template service "publishes" the template, even when the template failed to go from Under Construction → Live. This false publishing event resulted in a broken Content screen for the asset, leaving it in an uneditable state.

The fix changes the code execution order so that the template service sync only runs after the asset has successfully changed status. Template service records now always remain in sync with the Content Management status, which prevents the asset from entering a broken state.

When connecting through a WebDAV client, collections from specific tenants were missing.

The connection logic has been updated to iterate through all assigned custom roles when a client connects. The system now correctly identifies and shows all collections a user is authorized to access, regardless of whether the role is primary or tenant-customized.

Users now see a comprehensive list of available clients and resources upon sign in.

Users assigned a custom role with the "Create Role" permission were unable to create roles. A lack of access to Role Suffixes caused the failure.

Previously, only Squiz DXP owners had the necessary oversight to manage these suffixes, blocking delegated administration. The system now properly supports delegated role creation through three key updates:

In Search, the "Description" field for Resource or Owner-Resource roles is used to fill in the client-switching dropdown. However, because the field was labeled "Description" across all role types, users were often unaware that this text can be visible in the public-facing UI.

To improve clarity, the label for this field has been changed to Display Name when managing Resource or Owner-Resource roles. For all other roles, the label remains Description to reflect its internal-only use. Administrators now understand exactly where the text will appear before saving changes.

The export option was either missing or broken on the Accessibility Auditor and Search analytics pages after upgrading to the Angular 16 version.

The export option is available on all pages under Accessibility Auditor and Search Analytics.

Previously, if a Scheduled Task encountered an error reading a Collection or found a configuration error within a Collection, the entire "Scheduled Tasks" list may fail to load, displaying only a generic "Error" message at the top of the page.

The interface now handles these errors gracefully. The list loads successfully, and any task with a problematic Collection will be marked in red with the specific status "Collection configuration error."

Administrators can now identify and fix specific issues without losing access to the rest of the task list.

When Custom Roles were implemented, the Resource and Owner-Resource roles were set to read-only. This role lock inadvertently prevented further modifications to the "Description" field (used for the client dropdown).

Users were unable to correct or update confusing or auto-generated instance names that appeared in the Search client dropdown, as the underlying field was no longer editable.

The system has been updated to reinstate edit permissions for this specific field. Additionally, synchronization logic was added to ensure the Display Name is copied between Resource and Owner-Resource roles when Custom Roles are toggled.

The field is now editable on the Resource role (for standard instances) and the Owner-Resource role (for custom role instances). Administrators can now manage client dropdown entries at any time, regardless of the role configuration.

The PDFBox library (version 2.0.26 and earlier) contained bugs that caused the crawler to stop responding indefinitely when parsing specific PDF documents. Furthermore, complex accessibility checks often lacked independent execution limits, risking overall crawl stability.

Previously, certain unhandled exceptions could reveal internal directory structures or database queries in the browser. To prevent potential information disclosure, exception states were reviewed to ensure that detailed stack traces and technical error messages are not exposed to end users.

All sensitive technical information and verbose debugging data are now suppressed from responses and redirected to internal logs only. Custom error pages have been configured across the environment to present generic, user-friendly messages.

When attempting to upload the configuration file “test.ctest” through the Search Configuration Files screen, the system would trigger an error message and block the upload. This error was due to an overly restrictive allow-list in the file validation service.

The file validation logic has been updated to permit these files.

Add support for the HTML (H) display mode, plus these options:

In prefix mode, the query is no longer split into individual terms by spaces.

The whole query (minus wildcards) is now passed as a single term to the suggestion API, which changes how suggestions are returned.

For example, "This is a test query ca" now gets suggestions for the full phrase rather than just the last word "ca".

Previously, events were triggered during the index phase. This timing could lead to premature notifications before the data was actually live and available to users via a view swap or successful commit.

The event triggering logic has been moved to the final stage of the indexing lifecycle. Events are now triggered as a post-swap or post-commit step, ensuring that downstream processes or notifications only occur once the search index is fully updated and live.

Specifically, events are now sent after a successful view swap for non-push data sources and after a commit for push data sources. Additionally, a new event is triggered upon the stop of a non-push data source update.

Fixed incorrect timestamp in the error notification.

Operators could not see full error detail on the thread error view.

Fixed error details not being available on the Thread Error page.

History navigation on the Flow page was stuck after a single Back action.

Fixed the browser Back button only working once and blocking further history navigation on the Flow page.

Alerts and copy did not match non-80% thresholds or distinguish message count from CPU/MEM.

Fixed quota exhaustion notification templates for non-80% thresholds and clarified message-count vs. CPU/MEM wording.

Unlimited contracts displayed an incorrect negative value in the diagram.

Fixed Memory Usage History showing -1.024 KB for contracts with unlimited quota.

Month rollover did not clear usage for idle workspaces or contracts.

Fixed message-count monthly usage not resetting for workspaces and contracts without active flows at the beginning of the month.

Fixed the "Something is technically wrong" page on Contract Quota Usages when usage was not found for per_contract_container_count_limit and per_contract_message_count_limit.

Navigation in Developer Team could throw a component lookup error.

Fixed Component not found when clicking Back in the Developer Team section.

Manual typing in several editors reset caret position incorrectly.

Fixed cursor jumping to the first position when typing into input fields for mapping, sample, config, and retry.

Users could activate recipes without filling required variables.

Fixed missing required validation for variable fields on the recipe activation page (frontend validation added).

Rapid REST API config changes could crash the platform UI.

Fixed platform UI crashes when switching between REST API configurations.

Auth actions stayed enabled when required secrets were empty.

Fixed Verify and Save remaining active for Basic Auth or API Key Auth types without required credentials filled in.

Initial component release which adds this feature:

Initial component release which adds these features:

Removed unnecessary dependencies.

Fixed certificate error in "Subscribe to platform events" trigger.

Fixed ClassCastException in MessageResolverImpl when message body was a JSON array; graceful handling for missing or null message bodies

General improvements to syntax error highlighting in JSONata mode which improve editor feedback when authoring JSONata expressions.

The CMS session cookie has historically been served without the SameSite attribute set. To provide additional protection against potential cross-site request forgery (CSRF) attacks, the attribute can now be adjusted in the System Configuration  Sign-in/session settings.

An option has been added under Sign-in/session settings called Set 'SameSite' flag for session cookies. Users can change this option with the Root User privilege.

The option can be set to these values:

Unencoded spaces were not being correctly handled in URLs and in remap rules.

URLs containing spaces in remaps on an Asset can cause the remap rule to break.

Remap rules now correctly handle the space character by encoding it as %20 when saving and decoding it when retrieving.

Remap rules with spaces inside (for example, http://some-site/some page) now correctly map to the desired remap URL.

When public permission was granted, this would often appear as "Restricted Asset" rather than a name indicating the special nature of the Public Access User.

Asset name display rules were updated to have a special case for the Public User asset in the administration interface.

This rule change will make it clearer that this special form of access has been granted for users who do not have write permissions to the Public User asset.

In some situations, inserting asset linking tree rows can cause a duplicate key / unique constraint violation after an incomplete tree cleanup. Separately, when Allow trashing without lock was enabled, creating the trash folder link could still be subject to locking at the run level and lock acquisition that contradicted that setting.

Operations could fail with "Unable to insert child tree entries…​" instead of allowing a controlled recovery path, and delete-to-trash could still fail or require locks that the configuration was meant to avoid.

These system settings are now available:

Opening the edit panel for a block in unused content can add parameter values to the _unusedActiveBlock URL parameter, but does not affect the page.

The _unusedActiveBlock is no longer populated in the URL when the edit panel is opened for a block in unused content.

Read the April 2026 new features to learn more.

Read the April 2026 new features to learn more.

Read the April 2026 new features to learn more.

Read the April 2026 new features to learn more.

Separate reporting for message quota at contract and workspace level is now available for contract message usage.

After the first failed 2FA attempt, the system clears all code fields and returns focus to the first field to reduce accidental lockouts and redundant requests after a failed two-factor attempt.

The platform displays jsonataMap under the component/step on the execution page so that mapping configuration is visible in the execution context.

Flow creators now receive error notifications after common flow lifecycle actions, including:

The flow creator is automatically subscribed to the flow’s errors after these actions.