Jahia 8.1.9 Release Notes

February 19, 2026

What's new?

Jahia 8.1.9 is a maintenance release primarily addressing security-related issues detailed in September security patch page.

Adopting this release is expected to be simple for environments already running Jahia 8.1.8.

About Rolling Upgrade
Jahia 8.1.9.1 includes an updated version of the tasks module. In order to perform a rolling upgrade between Jahia 8.1.9.0 and Jahia 8.1.9.1, you will need to manually install tasks 8.3.0 on your running Jahia 8.1.9.0 before proceeding with the upgrade to Jahia 8.1.9.1. The tasks 8.3.0 module can be downloaded here.

Breaking changes

This release includes changes that could be considered breaking, depending on your environment.

Apache Portlet removal

Deprecated since Jahia 8.0, the portlet functionality has been removed in Jahia 8.1.9.0.

Following investigations, it was discovered that this deprecated feature could expose Jahia to security vulnerabilities, decision was made to remove it. 

Note that portlets were already removed from Jahia 8.2.0.0+ released in 2024

Stricter file upload validations

This release introduces stricter file upload checks configurable via the property jahiaSecuredFileUpload in the jahia.properties file.

In Jahia 8.1.9.0, this property is set to true by default. Make sure to review the documentation available in the jahia.properties file to determine if and how you are impacted. This documentation is also accessible here

Snakeyaml upgrade

To address the CVE-2025-52999 vulnerability in jackson-core, it was necessary to upgrade snakeyaml from 1.33 to 2.4. 

To determine whether you are impacted, start by reviewing your codebase to check if you are currently using the snakeyaml bundle exposed by Jahia. 

  • If you are not importing snakeyaml, then you are not impacted
  • If you are using snakeyaml, review the breaking changes in snakeyaml 2.x. You can do so by analyzing this file and searching for actions of type "remove". Removals between v1.33 and v2.4 are:
    • v2.4 - Remove external Base64Coder and use provided Base64 (thanks to MithunKhanna) - Commit
    • v2.3 - Remove unused BUFFER_SIZE (thanks to Róbert Papp (TWiStErRob)) - Issue, Commit
    • v2.1 - Remove Trusted*Inspector classes from main sources tree - Commit
    • v2.0 - Remove many deprecated constructors - Commit
    • v2.0 - Remove long deprecated methods in FlowStyle - Commit

CSRF protection in /modules/api/bundles

In this release, we removed the ability for /modules/api/bundles to rely on sessions for authentication, which typically means that it will not be possible to call this endpoint from Web UIs.

We expect this use case to be extremely rare (if not inexistent) since this endpoint was primariraly created to support Jahia orchestration use cases, which are unaffected by this change. This endpoint is still reachable via other Jahia authentication mechanism (token, basic auth).

Password update security (Jahia 8.1.9.1 only)

In Jahia 8.1.9.1 a short-lived server-side validation window was introduced: after a successful current-password verification, a password change may be performed without re-supplying the current password, provided it occurs within the same request / thread context and within the allowed time window (configurable, defaults to 10s). 

The fixes implement a window during which a password can be modified after having been first verified. If your code already follows the pattern verifyPassword(currentPassword) followed by setPassword(newPassword) in the same thread, no changes are required.

If you perform the two operations in different threads, or separated requests without re-verification, you must refactor your code. A sample implementation of a valid password change is available in the jahia user dashboard (code).

It remains possible to restore previous behaviour by setting jahia.user.passwordUpdate.currentPasswordRequired property to false.

Updated modules and libraries in 8.1.9

Library upgrades

The following librairies were updated between Jahia 8.1.8.3 and Jahia 8.1.9.0

Library Jahia 8.1.8.3 Jahia 8.1.9.0
Apache Commons Beanutils 1.9.4 1.11.0
Apache Commons FileUpload 1.3.3 1.5
Apache Tomcat 9.0.104 9.0.107
Graphql-java 13.0 13.0.jahia1
Jackson Core 2.15.2 2.19.0
snakeyaml 1.33 2.4

Updated modules

The following modules were updated between Jahia 8.1.8.3 and Jahia 8.1.9.0

Module Jahia 8.1.8.3 Jahia 8.1.9.0 Jahia 8.1.9.1
Server Settings 9.7.2 9.7.4 9.7.4
tasks 8.2.0 8.2.0 8.3.0

Jahia 8.1.9 - Changelog

8.1.9.1

Jahia 8.1.9.1 patch release includes the following additional fixes, you can find details about the corrected vulnerabilities on this page.

  • ✨ Introduction of a password change window
  • 🐛 Better handle exceptions to prevent log flooding
  • ✨ Addressed two XSS vulnerabilities in Jahia Administration

8.1.9.0

Security

  • Introduced a stricter mechanism to validate file uploads, configurable using the jahiaSecuredFileUpload property. This configuration is true by default. Please see the "Breaking Changes" section of this document.

 

Modules included in the upgrade - Changelog

ServerSettings (9.7.4)

  • Removed portlets (deprecated in Jahia 8.0.0.0)