Bloomreach Experience Manager V16.7 Release Notes

Highlights for v16.7

We are pleased to announce a new version of Bloomreach Experience Manager (brXM). This minor release introduces a number of new features,  useful technical stack upgrades and improvements to the product. In this document we will give a brief overview of the highlights in this release. You can also find these release notes at Release Notes Overview.

Everything mentioned in this document is an integral part of Bloomreach Experience Manager (brXM), unless mentioned otherwise. 

Significant Updates and New Features

Role-Based Access: Govern Who Uses the AI Assistant

With this release, you can now control who has access to the AI Content Assistant feature through role-based access management. This gives you the flexibility to:

• Isolate usage to specific users and groups - A new user role has been added specifically for AI feature access, allowing you to restrict the AI Content Assistant to designated teams or individuals. Users without the appropriate role won't see the AI Content Assistant button in their interface, keeping their workspace clean and focused.

• Roll out the feature gracefully - Test the feature with a pilot group before expanding access to your entire organization. 

This enhancement is ideal for organizations that want to test the AI Content Assistant with specific teams, manage AI usage according to their governance policies, or gradually train different groups on the new capabilities.

For more information please see Initialize and configure the AI Content Assistant documentation.

Leverage PDFs in AI Content Assistant for Maximum Context

The AI Content Assistant now supports PDF documents as both primary context and as reference materials in conversations. This powerful enhancement enables you to:

• Leverage PDF documents directly - Use any PDF asset from your CMS as context for AI-powered content generation

• Use your existing brand guidelines - Upload PDF versions of your brand, legal, or accessibility guidelines as assets in the CMS and reference them in AI conversations

• Ensure content compliance - Have the AI create or enrich content that automatically complies with your documented guidelines

This feature makes it easy to maintain consistency across your content by giving the AI access to your organization's established standards and guidelines in their original PDF format.

Try AI Content Assistant and Share Your Feedback

If the AI Content Assistant is not yet available in your project, we invite you to experience it firsthand in our demo environment and help shape its future development.

• Try it now: Visit Bloomreach Content Demo to explore the AI Content Assistant capabilities in action.

• Share your vision: We are committed to evolving Bloomreach Content with AI that solves your real-world challenges. We want to understand your AI vision, usage and how we can further integrate AI into your specific workflows. Please take a moment to share your feedback and ideas through our AI Adoption and Vision Survey.

Thank you for sharing your perspective! 

Angular Upgrade for Channel Manager, Projects, and Navigation Applications

As part of this release, we completed a major upgrade of the Angular framework used across several core applications, improving maintainability, performance, and long-term support.

The following applications have been upgraded from Angular v12 to Angular v21:

• Channel Manager

• Project Management

• Navigation Application

This upgrade delivers:

• Long-term framework support – Aligns the applications with the latest Angular ecosystem, reducing technical debt and ensuring compatibility with future enhancements.

• Improved performance and stability – Benefits from Angular’s latest rendering, build, and runtime optimizations.

• Modernized codebase – Enables the use of up-to-date Angular features, tooling, and best practices, making ongoing development and maintenance more efficient.

• Enhanced security posture – Removes reliance on deprecated dependencies and incorporates security improvements introduced in newer Angular versions.

This change is fully transparent to end users and does not introduce functional regressions. For developers and integrators, the upgrade provides a future-proof foundation for extending and customizing these applications.

Enhanced SVG Security

We have significantly improved the security of SVG file uploads in brXM with a configurable SVG validator that provides stronger protection against malicious content that could be embedded in image files, ensuring a safer environment for your content editors and website visitors.

Benefits:

• Configurable security controls - Advanced validation can be tailored to your organization's security requirements

• Stronger protection - Enhanced validator prevents potentially harmful SVG files from being uploaded

• Flexibility - Configure validation rules to balance security needs with your specific use cases

• Automatic protection - Security validation happens seamlessly during the upload process

This enhancement is part of our ongoing commitment to maintaining the highest security standards for your content platform while giving you control over how security is enforced.

Please find more information about Media Validation Service in Image and asset upload validation documentation.

Refactored CMS file uploads 

We replaced the deprecated Blueimp File Upload frontend library with FilePond to remove the dependency on jQuery 1 and address related security concerns. 

As part of this work, several internal Wicket classes were removed and/or significantly refactored:

• org.hippoecm.frontend.plugins.jquery.upload.multiple.FileUploadBar

• org.hippoecm.frontend.plugins.jquery.upload.multiple.FileUploadTemplate

• org.hippoecm.frontend.plugins.jquery.upload.multiple.FileDownloadTemplate

• org.hippoecm.frontend.plugins.jquery.upload.single.FileUploadBar

If you have customizations or overrides that extend or rely on these classes or their related packages, you will need to review and update those customizations when upgrading to 16.7.0.

Ongoing Enhancements and Fixes

For end users

• We fixed a problem where the '+ Add' button in compound fields would malfunction when multiple documents were open simultaneously. 

• We resolved an issue where text fields in the CMS would not receive keyboard focus when clicked, requiring users to click multiple times or use the Tab key to begin typing. 

• We resolved an issue where the document picker would retain the previous selection after an error occurred, showing incorrect documents as selected when reopening the picker. 

• We improved image compression for cropped PNG images, which were paradoxically resulting in larger file sizes than the original uploaded images. Cropped images now produce smaller, more optimized files. 

• We fixed an issue with the notification banner in documents where a "request rejected" message would continue to be displayed even after a subsequent publication request was accepted. The notification banner now correctly displays only the latest request status and includes the creation date and time of the request to help users identify which notification is current.

• We added an upload progress indicator and disabled the 'Done' button until file uploads complete for large documents, preventing users from prematurely submitting forms before uploads finished, which would cause document save failures.

• We added the ability to configure multiple validation rules on a single content block, previously limited to one validation per block, enabling more sophisticated content quality controls. 

• The performance of the Advanced Link Management modal has been significantly improved by optimizing the underlying reference queries. 

• We resolved a critical issue where two editors using the same perspective simultaneously would cause one of their sessions to crash unexpectedly, resulting in lost work.

• We fixed an issue where the Bulk Workflow Wizard dialog box would intermittently fail to close after completing bulk operations from Document Search, requiring users to refresh their browser to continue working. 

• We resolved an issue where copying an XPage would successfully create the copy but fail to navigate to the newly copied page, leaving editors unsure whether the operation succeeded and making it difficult to immediately edit the copy.

• We fixed a problem where images were being unintentionally modified during the upload process, causing quality degradation. 

• We resolved an issue where the "Schedule to take offline" function would fail to work when used with the "Refers to" option, preventing editors from scheduling dependent documents to go offline together. Workflow actions are now tab-specific, ensuring that actions performed in one tab correctly apply to the document context of that tab.

• We fixed an issue where the external preview feature would fail when multiple pages were configured based on the same document type for a single URL, causing preview URLs to resolve incorrectly. 

• We resolved an issue where opening pages in the Channel Manager would throw an IllegalArgumentException error when the document name contained certain special characters or non-ASCII characters (such as accented letters in non-English languages), preventing editors from previewing or editing those pages.

• We fixed an issue where using a period (.) in a custom field name would cause the document picker to break, preventing editors from selecting documents in fields with periods in their names. 

• We resolved an issue where adding a new menu item to second-level nested menus would cause the menu tree to collapse immediately after the addition, requiring editors to manually expand the menu again to confirm the item was added successfully.

• We resolved an issue where the Publish request dialog would remain open and throw an error when a user without Experience Manager access attempted to publish a document. The dialog now closes properly and displays an appropriate access message. 

• We fixed an issue where file downloads from embedded iFrames were blocked due to a missing sandbox attribute. Users can now successfully download files from iFrame content within the CMS. 

• We resolved an issue where the References dialog box would fail to close after clicking on documents. 

• We resolved an issue in the Document Translation Picker Plugin v7.0.0 where selecting a different translation would not be reflected immediately due to aggressive caching. 

• We improved the performance of the user dashboard by limiting the number of recent activities retrieved, which was causing slow load times for users with extensive activity history.

• We fixed an issue where the "Show References" action in the workflow menu would not display references from the Channel Manager, showing an incomplete list of where documents were being used. 

• We resolved an issue where advanced settings configured for menu items were not being saved correctly, causing configuration changes to be lost after saving.

For developers

• We resolved an issue where customers running Chrome 142 or later were unable to preview their SPA applications inside the Experience Manager iframe due to new CORS security restrictions in Chrome. The fix adds the allow="local-network-access" attribute to the iframe tag, allowing local network requests to function correctly. See the troubleshooting documentation for more details. 

• We added warning-level logging when image uploads fail, which previously failed silently, making it difficult to diagnose upload issues.

• We fixed a caching issue that caused the Home 2.0 page to display an incorrect brXM version number, showing outdated version information after upgrades.

• We introduced a new parameter, compressionLossless, for image set variants to control the compression quality factor specifically for lossless formats, such as PNG and GIF. This parameter is detailed in the documentation on Create a Custom Image Set and is also supported by Essentials' Gallery Manager development tool.

• We now support Spring AI's spring.ai.openai.chat.completions-path property for the OpenAI provider, allowing even more customization and experimentation in the AI module.

• The AI module now supports Spring AI's spring.ai.openai.chat.completions-path property for the OpenAI provider, allowing you to customize the API endpoint path when connecting to OpenAI-compatible services with non-standard endpoint structures. This enables integration with alternative hosting environments (such as Azure OpenAI Service), custom API gateways or proxy services, and self-hosted or third-party OpenAI-compatible implementations. For more information about the Chat Completions API specification, see the OpenAI API Reference.

• We deprecated APIs that rely on Jackrabbit RMI connections. These APIs will be removed with brXM version 17. Find more about the deprecated APIs in the Notices section in this document.

Bloomreach SPA SDK Updates

React Server Components Support (v27.0.0)

The SPA SDK now supports React Server Components (RSC) with the new @bloomreach/react-sdk/server package. This major enhancement brings modern React capabilities to your Bloomreach Content applications:

• New server-side components - BrPageServer and BrComponentServer components for RSC rendering

• Full backwards compatibility - Existing BrPage and BrComponent client components remain unchanged, ensuring Experience Manager continues to work seamlessly

• Flexible rendering - Render components in both server and client contexts without maintaining separate versions

Learn more in the SPA SDK 27.0.0 release notes.

Bloomreach Cloud Updates

Enhanced Indexing Process

We are rolling out a new index creation process for Bloomreach Cloud (BRC) that significantly improves system stability and reliability:

• This new solution creates a regular fresh Lucene index that can be used in deployments. This practice is key to mitigating and preventing index corruption, which could otherwise result in severe outcomes like system unavailability.

• This results in a more reliable system for you and your team. The improved indexing process reduces the need for manual intervention and support escalations related to index issues.

Professional Services Plugin Newsletter

Generic Resource Entity Builder (GREB) API v3.0.1

GREB API has been updated to version 3.0.1 with full compatibility for brXM v16.x, now supporting the Jakarta namespace. 

Translations Addon v7.3.0 - Environment Variable Support

The Translations Addon now accepts environment variables for connector configuration, allowing you to securely manage API keys and credentials outside the JCR repository instead of storing them as secrets in the repository. We also fixed an issue where SFTP connections were not terminated properly.

Content HAL API v6.1.0 - Security Enhancement

We implemented input validation and sanitization to mitigate vulnerabilities in HAL API input handling, protecting your content repository from potential security exploits. We strongly recommend upgrading to this version.

Get help from BrXM Experts for Upgrade

The Bloomreach Professional Services team possesses extensive expertise in BrXM and has successfully executed various project implementations. Our team can facilitate a seamless upgrade of your project to the latest BrXM versions.

Additionally, we offer an Upgrade Assessment service for your projects. In just 3 days, our comprehensive evaluation will provide you with invaluable insights into your investment requirements. Our team of experts meticulously assesses your existing systems and infrastructure to determine the necessary investment for the upgrade.

The resulting detailed report encompasses the following components:

• Executive summary

• Overview of major changes

• Recommended upgrade procedure

• A comprehensive list of findings

It's important to note that the evaluation fee* is fully refundable should you decide to proceed with our Professional Services for the actual upgrade. This ensures that you not only receive top-notch guidance but also keeps your best interests in mind.

If you're interested in availing the assistance of our Professional Services team for your upgrade, please get in touch with your account manager. We're here to support your project's success every step of the way.

Notices

Deprecated APIs

We deprecated the following APIs that rely on Jackrabbit RMI connections. These APIs will be removed with brXM version 17.

org.hippoecm.repository.RemoteHippoRepository 

org.hippoecm.repository.decorating.client.ClientHierarchyResolver 

org.hippoecm.repository.decorating.client.ClientQuery 

org.hippoecm.repository.decorating.client.ClientRepository 

org.hippoecm.repository.decorating.client.ClientServicesAdapterFactory 

org.hippoecm.repository.decorating.client.ClientServicingNode 

org.hippoecm.repository.decorating.client.ClientServicingSession 

org.hippoecm.repository.decorating.client.ClientServicingWorkspace 

org.hippoecm.repository.decorating.client.ClientServicingXASession 

org.hippoecm.repository.decorating.client.ClientWorkflowDescriptor 

org.hippoecm.repository.decorating.client.ClientWorkflowManager 

org.hippoecm.repository.decorating.client.LocalServicingAdapterFactory 

org.hippoecm.repository.decorating.remote.RemoteHierarchyResolver 

org.hippoecm.repository.decorating.remote.RemoteQuery 

org.hippoecm.repository.decorating.remote.RemoteRepository 

org.hippoecm.repository.decorating.remote.RemoteServicingNode 

org.hippoecm.repository.decorating.remote.RemoteServicingSession 

org.hippoecm.repository.decorating.remote.RemoteServicingWorkspace 

org.hippoecm.repository.decorating.remote.RemoteServicingXASession 

org.hippoecm.repository.decorating.remote.RemoteWorkflowDescriptor

org.hippoecm.repository.decorating.remote.RemoteWorkflowManager 

org.hippoecm.repository.decorating.server.RemoteServicingAdapterFactory

org.hippoecm.repository.decorating.server.ServerHierarchyResolver 

org.hippoecm.repository.decorating.server.ServerQuery 

org.hippoecm.repository.decorating.server.ServerQueryManager 

org.hippoecm.repository.decorating.server.ServerRepository 

org.hippoecm.repository.decorating.server.ServerServicingAdapterFactory 

org.hippoecm.repository.decorating.server.ServerServicingNode 

org.hippoecm.repository.decorating.server.ServerServicingSession 

org.hippoecm.repository.decorating.server.ServerServicingWorkspace 

org.hippoecm.repository.decorating.server.ServerServicingXASession 

org.hippoecm.repository.decorating.server.ServerWorkflowDescriptor 

org.hippoecm.repository.decorating.server.ServerWorkflowManager 

org.hippoecm.hst.core.jcr.pool.BasicPoolingRepositoryFactory 

org.hippoecm.hst.core.jcr.pool.MultiplePoolingRepositoryFactory

Minor release

v16.7 is a minor release, so it is backward compatible with the previous minor release. Also, updating to this version from the previous minor version should be of little effort. Specific instructions for upgrading from v16.6 to v16.7 are available for enterprise customers (login required). Please also find  the overview of minor version upgrade instructions in this major release in our documentation.

Supported Technologies

Full system requirements, including a comprehensive table of maintained third-party compatibility, are available in the system requirements documentation.

End-of-life, support and maintained code

Nomenclature refresher

As the terms ‘end-of-life’, ‘supported’, ‘maintained’ are used in various ways in our industry, we clarify the nomenclature we use for this below.

Supported product version

When a product is supported, this means that the customer will receive help from the helpdesk when issues arise as described in the service level agreement (SLA) that the customer has with Bloomreach. There are several service levels available. 

Please note that if a bug is acknowledged in a supported, but not-maintained version, and a fix is needed, this fix will only be applied in the maintained product versions. This means the customer will need to move to a maintained version to receive the fix. 

Maintained product version

When a product is maintained, the product code is updated and security- and bug fixes are made to the code. For maintained products, the system requirements for third party libraries and components are kept updated as well. Please note that we do not provide support for system requirement providers (e.g. databases, java, etc..), but we only support the usage for mentioned certified system requirement providers. 

If a product is non-maintained, this means that the code is not maintained anymore and therefore might contain bugs and/or security vulnerabilities due to newly discovered issues in our code, or the libraries used.

End-of-life product version

Products that are not maintained and not supported are end-of-life. These might be available from our archives but could be removed without notice.

What does this mean for the current release?

Please note that this release changes existing maintenance or support modes. In the table below you can find the support status of your product and when support will end; this is dependent on  the version currently being used and license level. Please note that versions that are not listed are not active and not supported, and therefore end-of-life.

Version	Planned end date of  Standard Support	Planned end date of  Premium Plus Support	Original major version release date
Latest 14.x	December 2024	December 2025	December 2019
Latest 15.x	December 2025	December 2026	April 2022
Latest 16.x	December 2026	December 2027	June 2024

Figure: reference table of planned end of support dates based on current SLA terms. Supported versions may differ depending on contractual agreements.

The versions highlighted in orange are actively maintained and provided with bug fixes and product improvements.

Security notes

This release includes updates for third-party dependencies that have published vulnerabilities. We recommend that customers keep their systems up to date with announced product releases.

Availability

This version of brXM is available as of February 4, 2026 onwards, the release of the open source will be made available after approximately 2 years due to our release policy.