Skip to main content

Flowable 3.7.x Release Notes

Initial release: July 29, 2020


Due to a potential RCE (Remote Code Execution) security exploit in the logging dependency, customers using the out-of-the-box WAR artifacts or Docker images for Design/Control/Work/Engage are urgently advised to upgrade to version 3.7.11 immediately. See the dedicated page around the Log4Shell vulnerability for the latest information.


The Flowable product comprises:

  • Flowable Platform, a headless process and case management platform.
  • Flowable Work, a process and case management platform with an out-of-the-box user interface.
  • Flowable Engage, built on top of Flowable Work, adding conversations and external connectivity to WeChat, Whatsapp and others.
  • Flowable Design, a modeling environment to create BPMN, CMMN, DMN, Form and other model types that run in Platform/Work/Engage.
  • Flowable Control, an administration tool that can be used to manage the Flowable Platform / Work / Engage environments.
  • Flowable Inspect, a debugging and test component that can be used with Flowable Work and Engage.

These products are built on top of the Flowable Open Source project which can be found on Github.


The Flowable Open Source project also has extensive documentation available which can be found at


Flowable Platform

  • The DMN support has been extended to DRD (Decision Requirements Diagram), to allow multiple decision tables to be combined in a decision service.

  • External worker tasks have been added to the BPMN and CMMN engine, which enables external services to pull categorised tasks, lock, execute and complete them. This makes it possible to have logic written in .NET or other languages and use the BPMN and CMMN engine to distribute tasks across a number of workers.

  • Added support for a BPMN receive task and intermediate catch event that listens for an event from the event registry.

  • Added support for AWS SQS queues for the event registry.

  • Added support for listening on IMAP mail and send system (internal) events to the event registry for received e-mails.

  • JSON support has been added to task candidates, permission groups, watcher and participant configuration.

  • JSON support has been added to Freemarker templates.

  • Support sending system events to the event registry, using an internal mechanism without the need of a queueing framework.

  • Support for user impersonation. Needs to be explicitly enabled for the application and a permission to be granted to users that are allowed to do it.

  • The execution of jobs on a Flowable Platform/Work/Engage instance can be limited to a list of category values.

  • The platform has been upgraded to Spring Boot 2.3.

Flowable Work

  • Case pages can be configured using backend expressions in addition to static values.

  • Added state-based rendering for BPMN user tasks to control the rendering in a custom case view.

  • Actions can be ordered based on the action model order value and an order value that can be provided in Flowable Design.

  • Improved permission handling for content items that are uploaded in a different form. When a user has view permission for the current task, case or process the content items available in that scope also share the same view permission.

  • Support for dynamic theme configuration without restarting the application.

  • Added a user impersonation feature.

Flowable Engage

  • Improved multi-tenant handling for template text that's used in conversation messages.

  • Added event registry support for incoming messages with no account or an inactive account. The default implementation sends system (internal) events to the event registry with one of the following keys:

    - **_flowableEngageMessageReceivedNoAccount** - When an inbound message has been received without an account for the external user.
    - **_flowableEngageMessageReceivedNoAccountAndTenant** - When an inbound message has been received without an account for the external user and the InboundMessageTenantExtractor couldn't extract a tenant.
    - **_flowableEngageMessageReceivedInactiveAccount** - When an inbound message has been received and the external user account is inactive.

There is the InboundMessageTenantExtractor interface which is used to extract the tenant ID from the InboundMessage when an inbound message is received without an account. The default implementation uses a fixed tenant ID configured with a configuration property.

Flowable Inspect

  • Flowable Inspect is a new debugging and test component has been introduced that works on top of Flowable Work and Engage.

  • Show additional information for an instance running in the Flowable Work app, including variables, timers, executions, plan item instances and so on.

  • Show a diagram view for an instance running in the Flowable Work app with the ability to drill down in call activities, case tasks, process tasks, decision tasks, user task forms and so on.

  • Provide the ability to record a test definition while clicking through the steps in a case or process instance in Flowable Work. While recording the steps, additional actions such as test value and expression, set value and switch user can be defined.

  • Recorded test definitions can be executed and the test result is provided.

  • Breakpoints can be set before and after a step while recording a test to be able to inspect the state of the instance at that point and to add test actions.

  • HTTP tasks or other service tasks can be skipped by adding a skip definition to make it easier to test process and case models that have an integration with external services. Static variable values can be set when skipping a service task to mimic the real logic result.

  • When an exception happens and the Flowable Inspect view is open, the error details will be available to analyze it further. So instead of looking at the server log, the error details are available directly in the Flowable Inspect view.

  • Note that to be able to run Flowable Inspect you need a new license file with the Flowable Inspect component added to it. Contact your Flowable account manager or contact person to request one.

  • By default Flowable Inspect is not enabled, because it's targeted at development and test environments. Flowable Inspect is not supported in production environments because authenticated users can get information about any case, process and task instance via Flowable Inspect REST endpoints. To enable Flowable Inspect the property flowable.inspect.enabled needs to be set to true.

Flowable Design

  • DMN DRD support has been added to Flowable Design, allowing Decision services to be modeled with references to Decision Table models.

  • Flowable Design has been upgraded to Spring Boot 2.3.

Flowable Control

  • Flowable Control has been upgraded to Spring Boot 2.3.

Upgrade information

Database changes

  • A new table has been added to store configuration values, such as theming values: FLW_CONFIGURATION_PROPERTY.


  • A new column PRIORITY_ has been added to FLW_ACTION_INSTANCE and FLW_HI_ACTION_INSTANCE to store the order value for actions.

  • A new table ACT_RU_EXTERNAL_JOB has been added to store external worker tasks.

  • A new column CATEGORY_ has been added to all job tables to store a job category value that can be used to limit the jobs that will be executed on a specific engine.

  • A new column CORRELATIONID has been added to all job tables to store a correlation value for lookup, mainly used for the external worker task feature.

  • A LOCKOWNER and EXTERNALWORKER_JOB_COUNT columns have been added to the ACT_RU_EXECUTION table for the external worker task feature.

  • A TRANSACTIONORDER column has been added to the ACT_RU_ACTINST and ACT_HI_ACTINST table to provide a way to sort activity instances on the order of how they were inserted as part of the transaction.

  • A LOCKOWNER column has been added to the ACT_CMMN_RU_CASE_INST table for the external worker task feature.

  • A new column LASTUNAVAILABLE_TIME has been added to the runtime and history plan item instance table to record when the plan item instance was in unavailable state.

  • The ACT_DMN_DECISION_TABLE table has been renamed to ACT_DMN_DECISION to support any decision type like DRD decision services to be stored.

  • A new column DECISIONTYPE to ACT_DMN_DECISION to store the decision type, decision table or service.

  • A SUBSCOPE_ID and PARENTELEMENT_ID columns have been added to the runtime and history entity link table to store more info about the originating activity of the child entity link.

Actions needed when upgrading

  • Optionally reindex: tasks, case-instances, process-instances, work and content-items indices. The reload is needed if you have variables that are larger than 32KB.

Spring Boot

  • Base Spring Boot version should be upgraded to at least 2.3.1 up to the latest 2.3 version

Other changes

  • A new class FlowableWebSecurityConfigurerAdapter was introduced to configure the security with default presets. It is recommended to use this class as a parent for your security configuration rather than WebSecurityConfigurerAdapter.

  • A new 'allowed feature' themeManagement has been added to the admin user definition, giving admin users the ability to create and manage custom UI themes. You can set this directly on an existing user managed in Flowable through Flowable Control. If you have made a custom user definition and you want users to have this ability, the themeManagement needs to be added to the allowedFeatures array of the user definition json file.

  • Input parameter validation is now done for all service invokers, which might lead to an exception for a missing required parameter, which was not checked before.

  • The provided Docker images are now using the executable JAR approach instead of a WAR in a Tomcat. This means that the embedded Tomcat can be easily configured (change the port, context path, and so on)

Open Source Artifacts Dependency Compatibility

Releases of Flowable Design, Work and Engage use versions of the open source Flowable dependencies that have not yet been published publicly on the Maven Central repository. These 'bugfix releases' can be retrieved by customers using the customer Flowable Maven repository credentials.

These versions contain fixes and have been QA'ed with the 3.7.0 release. It's advised to upgrade your open source dependencies to the 'compatible' version mentioned below (and mentioned in the subsequent Service Packs section)

Open source dependency version:

Service Packs


  • Include export of camelBehaviorClass in model exports.

  • Added an ID attribute to Email tasks in Flowable Design.Fixed issue with ClassCastException for property configuration of a Service Registry REST setting.

  • Fixed display of more than 10 content models for selection in form Attach fields.

  • Fixed attachment names when sending over WhatsApp.

  • Fixed missing translations.

  • Fixed custom.css override errors.

  • Fixed custom logo when using horizontal navigation menu.

  • Fixed visibility of default tenant Apps.

  • Fixed issue with job handler not found from engine context.

  • Fixed exception when the Service Registry returns null.

Open source dependency version:


  • Fixed issue for high load environments that use timers and async jobs. CommandContext getCurrentEngineConfiguration method and the CommandContextUtil.getJobService and other service methods are no longer available. Services can be retrieved from the bpmn or cmmn engine configuration instead.

  • Async history jobs are persisted to the deadletter job table after the defined number of retries

  • Fixed issue with form payload fetching after clicking on the claim button

  • Fixed issue with database content storage on PostgreSQL

  • Fixed issue with determining content length with database content storage

  • Improved emoticon support for WeChat and added the option for custom image icons for specific Wechat icons

  • For projects using their own dependency management, in this release, Flowable Design uses version of the Flowable open source dependencies and Flowable Work / Engage uses version

Open source dependency version:


  • Added support for expressions in the folder path for content upload form fields

  • Added hookpoints in the MessageSendHelper to allow customization of the unread message count and conversation last update time

  • Added support for the new WhatsApp template message format. The existing HSM format is used by default, but the new template message can be enabled using: flowable.adapter.whatsapp.jms.use-hsm-for-basic-template-messages=false

  • Added support for LocalDate and LocalDate time in flwFormatUtils.formatDate

  • Fixed rendering of wizard tabs that have visibility conditions

  • Fixed copying bulletpoint text between two rich text form fields

  • Fixed an inconsistency in the documents tab when navigating back from document preview

  • Fixed retrying deadletter jobs from Flowable Control or REST API

  • Fixed reassignment of tasks in Flowable Work when the Task candidates type property is set to Task candidates

  • Fixed private media messages not always being retrieved

Open source dependency version:


  • Added support for accessing the parent object in the payload for complex sub-forms

  • Fixed an issue with moving deadletter history jobs to the executable jobs

  • Fixed an issue with overwriting master data instances

  • The ID and type for historic plan item instances are now included in completed process task data

  • Added task reference ID and type information for plan item instances with type human task

  • Fixed an issue for attachment fields with a content model in multi tenant mode

  • Fixed an issue with case view information for completed instances

  • Flowable Engage temporary messages now use the BPMN engine async executor for improved performance

Open source dependency version:


  • Fixed an issue with deletion of event subscriptions in models containing receive/send event tasks or event listeners on new version deployment

  • Fixed an issue with rendering nested multiple/repeating subforms in some circumstances

  • Fixed an issue with a date field and target expression in the Service Registry

Open source dependency version:


  • Fix performance issue with forms with large payloads and many expression buttons

  • Fix issue in Flowable Control to update variables with a space in the name and UTF-8 variable values

  • Fix issue with history cleanup for historic case instances

Open source dependency version:


  • Added support to synchronize historic process instance data based on runtime data

  • Fixed issue with non-interrupting boundary events for the async history handling

Upgrade note: We highly recommend upgrading to Flowable 3.8.2 (6.6.x) as it provides significant performance improvement for historic data handling. Furthermore, if you are seeing the error message “Job is not applicable for transformer types” in your logs, then in some circumstances it is important to upgrade to Flowable 3.7.7 or Flowable 3.8.2 and contact Support.

An additional REST call is provided to ensure history and runtime data are in sync for a process instance:

POST to /platform-api/platform-management/historic-process-instances/{processInstanceId}/synchronise

Open source dependency version:


  • Fixed issue with link modal disappearing when selecting in the rich text editor.

  • Backported improvements in the history job indexing from version 3.9 to 3.7.

  • For the embedded mobile view in Flowable Engage, the attachment icon now follows the attachment feature flag.

Open source dependency version:


  • Fixed issue when retrieving content items that are being stored as a serializable variable type.

Open source dependency version:


This version fixes an important security issue and customers are advised to upgrade to this version immediately.

Without the fix included in this version, an RCE (Remote Code Execution) exploit might be possible. The RCE exploit is due to a vulnerability in the logging dependency. All information about it can be found here: Github Security Advisory

Affected products:

  • Flowable Design default WAR distribution and Docker image version < 3.7.10
  • Flowable Control default WAR distribution and Docker image version < 3.7.10
  • Flowable Work default WAR distribution and Docker image version < 3.7.10
  • Flowable Engage default WAR distribution and Docker image version < 3.7.10

Fix versions are also released for customers on other versions. Versions 3.10.6+, 3.9.10+ and 3.8.15+ contain the same fix.

In case it's not possible to upgrade immediately, the RCE exploit can be disabled by setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true or pass the log4j2.formatMsgNoLookups=true as system property

When not using the default distributables (for example in a custom Maven or Gradle project) you might be affected if you have added the log4j dependency to your project explicitly. For Maven, run mvn dependency:tree | grep log4j-core on the command line and make sure the version is 2.15.0 or higher. If not, upgrade the dependency in your configuration to minimally 2.15.0.

Open source dependency version:


Contains log4j version 2.17.0, which fixes two additional security vulnerabilities. See the dedicated page around the Log4Shell vulnerability for more information

Open source dependency version: