Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
298 changes: 298 additions & 0 deletions posts/2026-07-14-26.0.0.7.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,298 @@
---
layout: post
title: "Logged-Out SSO Cookie Tracking, mpHealth REST Endpoint Controls, and more in 26.0.0.7"
# Do NOT change the categories section
categories: blog
author_picture: https://avatars3.githubusercontent.com/navaneethsnair1
author_github: https://github.com/navaneethsnair1
seo-title: Logged-Out SSO Cookie Tracking, mpHealth REST Endpoint Controls, and more in 26.0.0.7 - OpenLiberty.io
seo-description: This release enables logged-out SSO cookie tracking by default to prevent cookie replay after logout and adds an option to disable mpHealth REST endpoints when file-based health checks are enabled.
blog_description: This release enables logged-out SSO cookie tracking by default to prevent cookie replay after logout and adds an option to disable mpHealth REST endpoints when file-based health checks are enabled.
open-graph-image: https://openliberty.io/img/twitter_card.jpg
open-graph-image-alt: Open Liberty Logo
---
= Logged-Out SSO Cookie Tracking, mpHealth REST Endpoint Controls, and more in 26.0.0.7
Navaneeth S Nair <https://github.com/navaneethsnair1>
:imagesdir: /
:url-prefix:
:url-about: /
//Blank line here is necessary before starting the body of the post.

This release enables logged-out SSO cookie tracking by default to prevent cookie replay after logout and adds an option to disable mpHealth REST endpoints when file-based health checks are enabled.

// // // // // // // //
// In the preceding section:
// Do not insert any blank lines between any of the lines.
// Do not remove or edit the variables on the lines beneath the author name.
//
// "open-graph-image" is set to OL logo. Whenever possible update this to a more appropriate/specific image (For example if present a image that is being used in the post). However, it
// can be left empty which will set it to the default
//
// "open-graph-image-alt" is a description of what is in the image (not a caption). When changing "open-graph-image" to
// a custom picture, you must provide a custom string for "open-graph-image-alt".
//
// Replace TITLE with the blog post title eg: MicroProfile 3.3 is now available on Open Liberty 20.0.0.4
// Replace GITHUB_USERNAME with your GitHub username eg: lauracowen
// Replace DESCRIPTION with a short summary (~60 words) of the release (a more succinct version of the first paragraph of the post).
// Replace AUTHOR_NAME with your name as you'd like it to be displayed, eg: Laura Cowen
//
// Example post: 2020-04-09-microprofile-3-3-open-liberty-20004.adoc
//
// If adding image into the post add :
// -------------------------
// [.img_border_light]
// image::img/blog/FILE_NAME[IMAGE CAPTION ,width=70%,align="center"]
// -------------------------
// "[.img_border_light]" = This adds a faint grey border around the image to make its edges sharper. Use it around screenshots but not
// around diagrams. Then double check how it looks.
// There is also a "[.img_border_dark]" class which tends to work best with screenshots that are taken on dark
// backgrounds.
// Change "FILE_NAME" to the name of the image file. Also make sure to put the image into the right folder which is: img/blog
// change the "IMAGE CAPTION" to a couple words of what the image is
// // // // // // // //

In link:{url-about}[Open Liberty] 26.0.0.7:

* <<cookie_cache, Tracking Logged-Out SSO Cookies Enabled by Default>>
* <<mpHealth_4_0, Disabling mpHealth-4.0 REST endpoints when file-based health checks are enabled>>
* <<CVEs, Security Vulnerability (CVE) Fixes>>
* <<bugs, Notable bug fixes>>


// // // // // // // //
// If there were updates to guides since last release, keep the following, otherwise remove section.
// // // // // // // //
Along with the new features and functions added to the runtime, we’ve also made <<guides, updates to our guides>>.

// // // // // // // //
// In the preceding section:
// Replace the TAG_X with a short label for the feature in lower-case, eg: mp3
// Replace the FEATURE_1_HEADING with heading the feature section, eg: MicroProfile 3.3
// Where the updates are grouped as sub-headings under a single heading
// (eg all the features in a MicroProfile release), provide sub-entries in the list;
// eg replace SUB_TAG_1 with mpr, and SUB_FEATURE_1_HEADING with
// Easily determine HTTP headers on outgoing requests (MicroProfile Rest Client 1.4)
// // // // // // // //

View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26007+label%3A%22release+bug%22[26.0.0.7].

Check out link:{url-prefix}/blog/?search=release&search!=beta[previous Open Liberty GA release blog posts].


[#run]

// // // // // // // //
// LINKS
//
// OpenLiberty.io site links:
// link:{url-prefix}/guides/maven-intro.html[Maven]
//
// Off-site links:
//link:https://openapi-generator.tech/docs/installation#jar[Download Instructions]
//
// IMAGES
//
// Place images in ./img/blog/
// Use the syntax:
// image::/img/blog/log4j-rhocp-diagrams/current-problem.png[Logging problem diagram,width=70%,align="center"]
// // // // // // // //

== Develop and run your apps using 26.0.0.7

If you're using link:{url-prefix}/guides/maven-intro.html[Maven], include the following in your `pom.xml` file:

[source,xml]
----
<plugin>
<groupId>io.openliberty.tools</groupId>
<artifactId>liberty-maven-plugin</artifactId>
<version>3.12.0</version>
</plugin>
----

Or for link:{url-prefix}/guides/gradle-intro.html[Gradle], include the following in your `build.gradle` file:

[source,gradle]
----
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
}
}
apply plugin: 'liberty'
----
// // // // // // // //
// In the preceding section:
// Replace the Maven `3.11.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-maven-plugin
// Replace the Gradle `3.9.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-gradle-plugin
// TODO: Update GHA to automatically do the above. If the maven.org is problematic, then could fallback to using the GH Releases for the plugins
// // // // // // // //

Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]:

[source]
----
FROM icr.io/appcafe/open-liberty
----

Or take a look at our link:{url-prefix}/start/[Downloads page].

If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE.

[link=https://stackoverflow.com/tags/open-liberty]
image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"]

[#cookie_cache]
== Tracking Logged-Out SSO Cookies Enabled by Default
To continuously improve built-in security for applications, Open Liberty 26.0.0.7 now enables the tracking of logged-out Single Sign-On (SSO) cookies by default. With this feature, logged-out SSO cookies can no longer be replayed after logout.

=== What is the potential impact?
When a logged-out SSO cookie is replayed, the user is now explicitly prompted to reauthenticate. This helps harden security.

Tracking logged-out SSO Cookies can still be disabled with the following server configuration:

[source,xml]
----
<webAppSecurity trackLoggedOutSSOCookies="false"/>
----

For more information, check out the Tracking Logged-Out SSO Cookies link:https://openliberty.io/docs/latest/track-loggedout-sso.html[documentation].


// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // //
// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/34987
// Contact/Reviewer: pgunapal
// // // // // // // //
[#mpHealth_4_0]
== Disabling mpHealth-4.0 REST endpoints when file-based health checks are enabled

The mpHealth-4.0 feature enables support for MicroProfile Health 4.0 in Open Liberty. The feature also includes a file-based health check mechanism as an alternative to the `/health` REST endpoints. When the file-based health check mechanism is enabled, you can now disable the `/health/started`, `/health/live`, and `/health/ready` REST endpoints using server configuration attributes.

Previously, when file-based health checks were enabled, the REST-based MicroProfile Health endpoints were still registered and accessible. This behavior was often redundant for Kubernetes deployments that rely on file-based health checks, where users typically configure probes using the `exec` strategy rather than `httpGet` or `gRPC`. In these scenarios, the REST health endpoints are not used.

To address this redundancy, this release introduces a new optional `mpHealth` server configuration attribute that allows REST health endpoints to be disabled when file-based health checks are enabled.

The `mpHealth-4.0` feature adds a new optional `enableEndpoints="false"` attribute to the `mpHealth` server configuration element in `server.xml` file. An equivalent environment variable, `MP_HEALTH_ENABLE_ENDPOINTS=false`, is also supported.

When this option is set to `false` and file-based health checks are enabled, the server does not register or expose the MicroProfile Health REST endpoints (`/health, /health/live, /health/ready, /health/started`). Requests to these endpoints return '404 Not Found' response.

File-based health checks can be enabled with the `checkInterval` configuration attribute or the `MP_HEALTH_CHECK_INTERVAL` environment variable.

If both the environment variable and `server.xml` file configuration are specified, the `server.xml` setting takes precedence at runtime.

[source,xml]
----
<server>
<featureManager>
<feature>mpHealth-4.0</feature>
</featureManager>

<!-- Enable file-based health checks but disable HTTP endpoints -->
<mpHealth startupCheckInterval="1s" checkInterval="5s" enableEndpoints="false" />
...
</server>
----

If either the `enableEndpoints` configuration attribute or the `MP_HEALTH_ENABLE_ENDPOINTS` environment variable is not set, the default value is `true`, and the health check REST endpoints are enabled and exposed.

*Note*: This capability is supported only when the file‑based health check mechanism is enabled. If file-based health checks are not enabled and the new `enableEndpoints` configuration attribute or environment variable is specified, a warning message is logged. The REST health endpoints remain enabled by default.

For more information, see the link:{url-prefix}/docs/latest/health-check-microservices.html[documentation].

// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC>

[#CVEs]
== Security vulnerability (CVE) fixes in this release
[cols="5*"]
|===
|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes

|link:https://www.cve.org/CVERecord?id=CVE-2026-8646[CVE-2026-8646]
|8.1
|HTTP request smuggling
|17.0.0.3-26.0.0.6
|Affects the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, and websocket-2.2 features

|link:https://www.cve.org/CVERecord?id=CVE-2026-9320[CVE-2026-9320]
|5.9
|Denial of service
|17.0.0.3-26.0.0.6
|Affects the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, and websocket-2.2 features

|link:https://www.cve.org/CVERecord?id=CVE-2026-9071[CVE-2026-9071]
|7.1
|Denial of service
|17.0.0.3-26.0.0.6
|Affects servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, and websocket-2.2 features

|link:https://www.cve.org/CVERecord?id=CVE-2026-42402[CVE-2026-42402]
|7.5
|Denial of service
|17.0.0.3-26.0.0.6
|Affects jaxws-2.2, xmlWS-3.0, and xmlWS-4.0 features

|link:https://www.cve.org/CVERecord?id=CVE-2026-42403[CVE-2026-42403]
|7.5
|Denial of service
|17.0.0.3-26.0.0.6
|Affects jaxws-2.2, xmlWS-3.0, and xmlWS-4.0 features

|link:https://www.cve.org/CVERecord?id=CVE-2026-42404[CVE-2026-42404]
|7.2
|Server-Side Request Forgery
|17.0.0.3-26.0.0.6
|Affects jaxws-2.2, xmlWS-3.0, and xmlWS-4.0 features

|link:https://www.cve.org/CVERecord?id=CVE-2026-11806[CVE-2026-11806]
|7.2
|HTTP request smuggling
|17.0.0.3-26.0.0.6
|Affects restConnector-2.0 feature

|link:https://www.cve.org/CVERecord?id=CVE-2026-11541[CVE-2026-11541]
|7.4
|HTTP request smuggling
|17.0.0.3-26.0.0.6
|

|===
// // // // // // // //
// In the preceding section:
// If there were any CVEs addressed in this release, fill out the table. For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc. If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz.
// Note: When linking to features, use the
// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and
// NOT what security-vulnerabilities.adoc does (someFeature-1.0)
//
// If there are no CVEs fixed in this release, replace the table with:
// "There are no security vulnerability fixes in Open Liberty [26.0.0.7]."
// // // // // // // //
For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].


[#bugs]
== Notable bugs fixed in this release


We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26007+label%3A%22release+bug%22[full list of bugs fixed in 26.0.0.7].

* link:https://github.com/OpenLiberty/open-liberty/issues/35179[PathUtils.normalize() skips collapsing ".." after "${"-prefixed segment]
* link:https://github.com/OpenLiberty/open-liberty/issues/35121[Create server: WARNING: A restricted method in java.lang.System has been called]
* link:http://github.com/OpenLiberty/open-liberty/issues/35112["featureUtility installServerFeatures" stopped working on 26.0.0.6 when FEATURE_REPO_URL is specified]

// // // // // // // //
// In the preceding section:
// For this section ask either Michal Broz or Tom Evans or the #openliberty-release-blog channel for Notable bug fixes in this release.
// Present them as a list in the order as provided, linking to the issue and providing a short description of the bug and the resolution.
// If the issue on Github is missing any information, leave a comment in the issue along the lines of:
// "@[issue_owner(s)] please update the description of this `release bug` using the [bug report template](https://github.com/OpenLiberty/open-liberty/issues/new?assignees=&labels=release+bug&template=bug_report.md&title=)"
// Feel free to message the owner(s) directly as well, especially if no action has been taken by them.
// For inspiration about how to write this section look at previous blogs e.g- 20.0.0.10 or 21.0.0.12 (https://openliberty.io/blog/2021/11/26/jakarta-ee-9.1.html#bugs)
// // // // // // // //


== Get Open Liberty 26.0.0.7 now

Available through <<run,Maven, Gradle, Docker, and as a downloadable archive>>.
Loading