Release Notes

List of new features and improvements

Platform and OroCRM:

• Upgrade Twig to 3.27.0+. [BAP-23389]
• Improve data audit performance during entity import. [BAP-23365]
• Update Zendesk Integration. [BAP-23236]
• Review composer audit report and update dependencies. [BAP-23085]
• CLI command to change application localization and formatting code after installation. [BB-21119]

List of fixed issues

Platform and OroCRM:

• Application 7.0.2 cannot be deployed to OroCloud. [BAP-23392]
• MCP server tools have invalid outputSchema and never return structuredContent (MCP spec 2025-06-18 violation). [BAP-23376]
• OAuth2 Server Metadata incomplete grant_types_supported list. [BAP-23375]
• duplicate_entity action does not duplicate extended entity fields properly. [BAP-23227]

Release Notes

List of new features and improvements

Platform and OroCRM:

• Add Webhook support. Introduced comprehensive bi-directional webhook support, allowing external systems to securely receive Oro application event notifications while enabling developers to seamlessly process inbound third-party data through a unified, high-performance endpoint. [BAP-23274]
• Customer User Email Address Change Verification. Enhanced account security with a new email change confirmation workflow that requires users to authorize profile email updates via their current address before they take effect, protecting accounts from unauthorized hijacking. [BAP-23050]

List of fixed issues

Platform and OroCRM:

• Missing logger injection in FrontendOwnerTreeProvider causes fatal error instead of logging exceptions. [BAP-23346]
• User's password is checked on every API call. [BAP-23338]
• Error when sorting the users grid by username on "Create User Role" back-office page. [BAP-22967]
• Title of calendar event edit dialog window is rendered incorrectly. [BAP-22814]
• Fixed future Twig operator precedence deprecations. [BB-24971]

Release Notes

List of new features and improvements

Platform and OroCRM: 

• Logs traceability. [BAP-18478]
• Remove redundant definitions in api.yml files. [BAP-23361]
• Add logging of API request body. [BAP-23341]

List of fixed issues

Platform and OroCRM:

• Organization switcher has no defined display order for organizations. [BAP-23344]
• Organization selector is slow to display organization list. [BAP-23343]
• Decrease log level of aggregation time failure logs. Updated API batch job logging to report non-critical aggregation time calculation failures as warnings instead of errors, reducing unnecessary alerts for completed jobs under heavy load. [BAP-23334]
• Fix API docs for creating files and attachments. [BAP-23265]
• Unexpected errors during install caused by DB requirements checks executed for read-only "reports" database connection. [BAP-22973]
• Impossible to change customer status for quotes. [BAP-22796]

Release Notes

List of new features and improvements

Platform and OroCRM:

• Add logging of API request body. Add optional logging of API request bodies to aid debugging and auditing. [BAP-23341]
• Add support of "container.service_subscriber" DI tag for TWIG extensions. Allow Twig extensions to use the container.service_subscriber tag for better DI patterns. [BAP-23286]
• Rename "API Type (View)" field to "API" for OpenAPI specification management. Simplify OpenAPI configuration terminology by renaming “API Type (View)” to “API”. [BAP-23281]
• OAuth 2.0 authorization server metadata HTTP endpoints. Implement OAuth2 authorization‑server metadata endpoints to conform to modern OAuth tooling. [BAP-23273]
• Enable "meta" API filter for dictionaries. Allow dictionary APIs to use the meta filter for richer responses. [BAP-23261]
• Login shows misleading invalid credentials message for users without assigned organization business unit. Show a more accurate error for users missing organization/business‑unit assignment at login. [BAP-12161]

List of fixed issues

Platform and OroCRM:

• Decrease log level of aggregation time failure logs. Reduce log level for aggregation time failures to avoid noisy logs while keeping visibility. [BAP-23334]
• 500 on GET /admin/api/productprices when filtering by both price list and ID. Prevent HTTP 500 when /admin/api/productprices is filtered by both price list and ID. [BAP-23314]
• Sanitized database backup creation fails when entity has no backing table. Make sanitized backup creation robust to entities without physical tables. [BAP-23304]
• Custom reports and segment snapshots stop working after upgrade if they use filters by enums. Fix enum‑based filters so custom reports and segment snapshots continue to work after upgrade. [BAP-23277]
• oro_api_async_data keeps unnecessary outdated records. Add cleanup for outdated oro_api_async_data rows to avoid table bloat. [BAP-23228]
• Unexpected errors during install caused by DB requirements checks executed for read-only "reports" database connection. Avoid installation errors when DB checks run against read‑only “reports” connections. [BAP-22973]
• Validation errors on Clone Role page clear copied entity permissions. Preserve copied entity permissions on the Clone Role page even when validation fails. [BAP-14133]
• Improve workflow data processing error handling for complex data structures. Harden workflow data processing and error handling for complex/nested data structures to avoid potential security impact. [BAP-23335]

OroCRM 7.0 LTS is now available

OroCommerce 7.0 LTS has been released.
Check out the release announcement on our website for an overview of what is new.

Release Notes

List of new features and improvements

Platform and OroCRM:

• Disable Local Password Change/Reset for LDAP Users,Administrators can now prevent local password changes and resets for back-office users whose accounts are synchronized from LDAP, avoiding conflicts with centrally managed credentials. When enabled, LDAP users cannot change their own password or request a local password reset, and administrators cannot change or reset passwords for LDAP users through the back-office. Password management behavior for non-LDAP users remains unchanged and continues to follow existing login and SSO configuration settings [BAP-23238]
• Enable MCP Server for Back-Office and Storefront. MCP Server support for both Back-Office and Storefront, providing a unified integration layer to securely connect tools and services, streamline workflows, and improve extensibility across the AI powered platform [BAP-23213]
• OIDC Identity Providers Management for Back-Office Users. Administrators can now manage OpenID Connect (OIDC) identity providers making it easier to configure SSO for back-office users [BAP-23169]
• Users provisioning and deprovisioning via SCIM. OroCommerce now supports SCIM-based user and group provisioning, enabling automatic synchronization with identity providers such as Microsoft Entra ID or Okta. When SCIM is enabled, administrators can define default roles, organization access, and name-handling strategies for newly provisioned users. This simplifies user lifecycle management and ensures that provisioned and deprovisioned accounts stay aligned with your IAM configuration [BAP-23145]
• Add AI Smart Agent Integration API label and description on OpenAPI management page [BAP-23253]
• Add note to API docs when a discount is represented as negative value [BAP-23246]
• Replace "tmpnam" and "sys_get_temp_dir" with "tmpfile". Temporary file handling has been improved by replacing manual use of "tmpnam" and "sys_get_temp_dir" with "tmpfile". This ensures that temporary files, particularly in import and export workflows, are automatically cleaned up when a PHP process terminates, including in the event of unexpected errors or crashes [BAP-23198]
• Confusing messaging for users log in without assigned organization business unit. User login handling has been improved for accounts without assigned organization business units by providing clear, actionable messaging both during authentication and in access settings, explaining that at least one organization business unit is required in order to log in [BAP-12161]

List of fixed issues

Platform and OroCRM:

• DIC building log is not created [BAP-23241]
• Back-office "Remember Me" ignored when 2FA is used. The back-office login flow has been corrected so that the "Remember Me" option is honored when two-factor authentication is enabled. If a user selects "Remember Me" on the initial login screen, the persistent session cookie is now preserved after successful 2FA verification, aligning the behavior with non-2FA logins [BAP-23240]
• Slow DB queries during oro:website-search:reindex [BAP-23190]
• Error/Exception is not logged when DB connection issue [BAP-23009]
• Import fails on unexpected value type in column [BAP-22324]
• Unable to manage entity unique keys [BAP-21649]

Release Notes

List of new features and improvements

Platform and OroCRM:

• Added a flag to integration sync settings to log warnings during sync [BAP-23113]
• Prepare ApiBundle to add API types with own prefix in URL [BAP-23160]
• Add possibility to filter addresses by "customRegion" in API [BAP-23171]
• Support markdown formatting for descriptions of API filters [BAP-23179]
• Support "False" and "True" strings as a values for boolean fields in API [BAP-23180]
• "fields" API filter should affect meta properties [BAP-23181]

List of fixed issues

Platform and OroCRM:

• Adding extended manyToOne relation creates invalid extend metadata [BAP-23075]
• CSRF Header not sent from jquery ajax due to invalid cookie name in https site [BAP-23115]
• Dotdigital campaign summary synchronization fails [BAP-22507]
• Export of 1M+ records fails with memory limit error [BAP-22730]
• Error/Exception is not logged when DB connection issue [BAP-23009]
• Bundle-less API documentation update [BAP-23148]
• Nested object is not validated when it is not provided in API POST request [BAP-23170]

6.1.5

New Feature and Improvements

• Disable Username/Password Login [BAP-23058]:
  Added ability to disable login to back-office with the username and password authentication. Such option allows to streamline single sign-on (SSO) configuration so authentication is fully handled by integrated identity provider (Google Workspace, Microsoft 365 or others).
• Advanced search in the back-office API [BAP-23040]:
  Added searchQuery filter that allows to create advanced search requests via API and use granular conditions per entity indexed fields.
• Subresource Integrity Check (SRI) [BAP-22926]:
  Added feature toggle that allows to enable Subresource Integrity (SRI) check for application JS and CSS assets in order to improve security of the application and ensure that the files delivered to the client browser are exactly what the developer intended.
• Add a check to see if the decryption works in oro:check-requirements [BAP-22955]
• Websocket client performance issue [BAP-23044]
• AclHelper: ensure $owners can be json_serialized to an array [BAP-23112]
• Store request data for included and primary entities for "customize_form_data" API processors [BAP-23119]
• Allow to use upper case letters and hyphens for API resource names [BAP-23159]
• Allow to make "meta" filter optional for new API types [BAP-23161]
• Allow to use "fields" filter for API types that do not support inclusions [BAP-23162]
• Allow to make "sort" filter optional for new API types [BAP-23163]
• Handling of taggable entities when "tags" association does not exist in API [BAP-23165]
• Update GrapesJS to latest version [BB-25752]
• Re-enable autocomplete for Behat tests in new PhpStorm versions [BB-26011]

Fixed Issues

• Cleanup of import expired results can lead to out of space [BAP-22947]
• Dotdigital integration does not work after Enum architecture changes [BAP-23077]
• Using 'choice' as name for a form does not work anymore [BAP-23117]
• Unexpected error with 500 status code in API [BAP-23155]
• Grid filters in dev and prod modes have different content [BB-25638]
• Incorrect icon view in error notifications [BB-25883]
• autocomplete.php generation with empty methods [BB-25923]

6.1.4

New Feature and Improvements

• Add support of native PHP enums to API [BAP-23099]
• Add strict comparison for array attributes in API functional tests [BAP-23093]
• Make OAuth 2 login forms functionality the same as common login forms [BAP-23064]
• Add support of multi-file and multi-image relations to the API [BAP-22433]

Fixed Issues

• API forms fail after update to Symfony 6.4.23 [BAP-23096]
• No description for "attachments" association for API subresources [BAP-23091]
• Unable to rebuild cache after upgrading application to 6.1 having custom entity with Select entity field [BAP-23087]
• Escaped HTML tags are visible in renderCollapsibleHtmlProperty blocks [BAP-22792]

Release Notes

List of new features and improvements

Platform and OroCRM:

• Improve app healthchecks [BAP-22853]
• Disable DB prepares emulation. Disabled ATRR_EMULATE_PREPARES to improve application performance [BAP-22995]
• Add validation error when API "validate" operation is requested for included entities [BAP-23030]
• Option to handle Batch API requests synchronously [BAP-23031]
• Update platform dependencies [BAP-23059]

List of fixed issues

Platform and OroCRM:

• Fixed oro:maintenance:unlock messaging when command executed twice [BAP-21744]
• autocomplete.php file generated by extended entity cache includes incorrect method definitions [BAP-22536]
• Improve filter options processing (is_callable handling for string option value) [BAP-23022]
• Data validation is not performed when using PATCH in upsert request [BAP-23025]
• It's impossible to make enum editable over API [BAP-23036]
• Multi-select fields become read-only after upgrade to 6.1 [BAP-23041]
• Attachment/file deletion on local filesystem is slow if directory contains thousands of files [BAP-23049]
• Can’t use custom identifier_field_names in API nested associations [BAP-23054]
• Can’t use NestedAssociationFilter when target entity has custom identifier_field [BAP-23060]