Search

Engine and Engine Dispatch 24 - All Release Notes

Joshua Turner
Joshua Turner
  • Updated

24.25.394

Released 2026-06-05

Bug Fixes

  • Better error handling when a custom IKeyValueStoreAccessor returns a response object with a .Value member that is null
  • Fix server error when generating a launchUrl with an empty value for a launch setting
  • [NET] Fixes Accept-Language request header handling
  • [.NET] Updated log4net to resolve a "moderate" CVE CVE-2026-40021 (Engine is not vulnerable by default)
  • [Upgrade Tool] - Fixes xAPI activity migration error when "MaxRowsPerDatabaseUpsert" is configured higher than "1".
  • [Content Vault] Fixed support for vaulting import-by-reference media content tracks (such as captions) where such tracks are managed by Engine

Improvements

  • New media player progress indicator: added setting MediaContentDisplayCompletionProgress which can display a Progress Completion Indicator for Media Content (Audio, Video, PDF, YouTube, and Vimeo). When set to Disabled, the Progress Completion indicator is hidden. When set to PercentOfCompletionThreshold, displays a Progress Completion Indicator for Media Content that reflects the percentage of the media that the learner has consumed before being considered to have completed the content.
  • Added setting AudioVideoPlayerUseEnhancedUI which will stylize the video playback bar to show skipped video sections and the furthest watched point for the video. AudioVideoPlayer has to be set to VideoJS for the UI changes to be displayed.
  • [LTI 1.3] New setting Lti13SubjectIdentifierFormat adds the option to use the registration's Learner Identifier string as the Subject Identifier [sub] claim included in Platform-originating LTI 1.3 authentication tokens. Setting values are Legacy or LearnerId.
  • Update docs to reflect new requirement for MySQL 8.4 and above since 8.0 is now EOL. 8.0 will continue to work, though.
  • Engine's API, "CourseImport" notifications, and import result postbacks will now include the duration of course import jobs - provided that they have reached a terminal status of "COMPLETE" or "ERROR".
  • Added 'IsManifestFileParsingEnabled' setting to allow skipping manifest file parsing, which makes bulk uploads faster where the manifest is known to be good
  • Updated PDF.js to latest version 5.7.284
  • [Java] updated bouncycastle library from 1.81 to 1.81.1
  • [SCORM 1.2] Attempts to repair state when relaunching after a bad exit
  • [Content Vault] Added optional referrer check for media content.
  • [Content Vault] Added support for vaulting import-by-reference media & AICC content where that reference is pointing to content managed by Engine
     

 

24.24.352

Released 2026-05-08

Bug Fixes

  • [Upgrade] - Audit findings on the existing, pre-upgraded schema will no longer stop the upgrade.

Improvements

  • Adds setting "AudioVideoPlayerPreventSkipUnwatched" to restrict learner from skipping un-watched cmi5 video content.
  • Added XApiStatementDeletionProcessor for removing old XApiStatement and XApiDocument records.
  • Added "DebugLogStored" subscription to notify whenever a Player Debug Log is created.
  • Added new setting "PensAsyncUseDatabase" to help with PENS background processing in multi-server deployments
  • Adds new registration-level setting "OverrideRuntimeLanguagePreference" to allow SCORM content runtime language preference to be overridden. When the setting has been configured, "PlayerMakeStudentPrefsGlobalToCourse" will operate as if it were set to "YES" (in order for the override to "stick").
  • [Installation] - No longer install deprecated tables.

24.23.340

Released 2026-04-14

Bug Fixes

  • Fixes repeated errors logged from the XapiETLInstanceProcessor.
  • For cmi5 course launches, parameters from the SupplementalQueryStringParametersForAllActivities setting will now be passed along to the content's launch URL.
  • Fixes Systemless + Schema-per-tenant handling.
  • Redacts the username/password from SQLServer JDBC connection strings when log redaction is enabled.
  • [Upgrade] - Fixes table name case typo in the "MigrateTincanDataPrechecksPhase" sub-phase.

Improvements

  • Use UsageStatistics automatically for user count if since date has available data.
  • Update AWSSDK.Cloudfront for CVE GHSA-mvm6-f9r3-fgfx.
  • [TinCan] - Removed default "LMS" activity profile document/launch link for imported TinCan packages.
  • [CMI5] - Skip an unnecessary database write when a "state" request occurs shortly after another CMI5 request.
  • [xAPI] - Reduced alternate request syntax detail logging from INFO to DEBUG but moved some key information into existing INFO log.
  • [Java] - Minor version bumps and removed unused dependencies.
  • [Upgrade] - Memory optimizations for xAPI statements migration.


Dispatch Improvements

  • Dispatched media content now receives status directly via postMessage and removes need to poll Engine for status.


24.22.288

Released 2026-03-12

Bug Fixes

  • Fixed a localization issue that caused database update errors when saving scores and progress measures in regions using comma-based decimal separators.

Improvements

  • Updated Jersey dependencies to version 2.47 to address CVE-2025-12383.
  • [Java] - If an asynchronous API import job is interrupted due to shutdown, Engine will attempt to send a postback notification indicating that the job was canceled and update the job's status in the database. 


24.21.280

Released 2026-03-09

Bug Fixes

  • [NET] - Fixes activity ID validation on URNs.

Improvements

  • Reduce database calls for cmi5 content (such as media content).
  • A new setting, "SurfaceRegistrationTimeReportedInsteadOfTimeTracked", was added to allow for surfacing reported time instead of tracked time in registration information contained in a "RegistrationSchema".

  • Content vault will now fall back to the request host address if X-Forwarded-For is not set.


24.20.256

Released 2026-02-26

Improvements

  • Performance improvement when putting files into S3.
  • [Media] - When "WebContentRecordCompletionOnLaunch" is enabled, record completion of web content immediately after launch of the web content.
  • [xAPI] - When a registration is deleted and the "DeleteXAPIDataOnRegistrationDelete" setting is "true" (default), delete all xAPI documents associated with the registration.

  • [Upgrade / PostgreSql] - Significant batch query optimization.


24.19.237

Released 2026-02-13

Improvements

  • [Upgrade] - Use less strict validation during xAPI migration to prevent unnecessary stoppage for non-critical activities validation errors.

24.18.236

Released 2026-02-12

Improvements

  • When using JWTRS256 authorization for subscriptions, any properties specified in "additionalProperties" when configuring the authorization will be sent along with the token to the configured subscription URL as claims in the token's payload.

  • Added new "LoggingContextHeaders" setting. Takes a comma-separated list of HTTP Request Headers that will be automatically included in the logging context.

Engine and Engine Dispatch 24.17.232

Released 2026-01-29

Bug Fixes

  • Fixes response for V2 API "/xAPIStatements" request when passing an invalid courseId or versionId.
  • Fixes incorrect Enum type check for AICC Preview SID.
  • Resolves rare missing schema prefix on query statements.
  • [Upgrade] - Resolves false-positives during schema audit when migrating away from a legacy integration.
  • [Upgrade] - Ensures that added indexes to support xAPI migration get added to the proper "target" database for the src/target, row-copy upgrade mode.

Improvements

  • Updates our metrics support to include 4 new metrics: jvm_threads_peak_count, jvm_threads_total_started_count, jvm_loader_loaded, and jvm_loader_unloaded. In addition, external JMX Monitoring tools can now attach to Engine for real-time updating/monitoring of the JVM.
  • Adds additional error information to subscription entries when the subscription postback process encounters an error.

Engine and Engine Dispatch 24.16.218

Released 2026-01-22

Improvements

  • Use less strict validation during xAPI migration to prevent unnecessary stoppage for non-critical statement validation errors. 

Engine and Engine Dispatch 24.15.215

Released 2026-01-19

Improvements

  • AiccSessionPerLaunch now works for AICC preview launches (note: AICC Preview launches utilizing launch settings will always have a unique session ID - regardless of this setting)
  • Import results now contain course activity details.
  • Adds new "GenerateXApiStatementsMode" setting to the configuration system as an alternative to the "ConvertTinCanFromScormRealtime" setting (which can only be configured in Engine's configuration file).

Engine and Engine Dispatch 24.14.209

Released 2026-01-14

Improvements

  • [Upgrade] - Better handling of malformed statement keys during xAPI migration.

Engine and Engine Dispatch 24.13.208

Released 2026-01-12

Bug Fixes

  • [Upgrade] - Various bug fixes for when auditing the actual, existing schema.
  • [Upgrade] - Improved detection of infinite batching during data migrations.
  • [Java] - Resolves repeated DEBUG log "Could not get server engine when logging request."

Improvements

  • Adds new "LearnerExchange" for retrieving learners' first and last names at runtime.
  • [Java] - Better shutdown routine to prevent lingering Java process.
  • [LTI 1.3] - Applies to Engine as the LTI Tool. After enabling the new "Lti13InstanceRegistrationOnNewDeployment" setting, Engine will create a new registration instance if either the contextId or deploymentId has changed (resetting course progress for the registration).

Engine and Engine Dispatch 24.12.196

Released 2025-12-18

Bug Fixes

  • Fix JWT validation of nbf and crit claims.
  • Fix storage of "stored" date in xAPI statement upgrade.

Engine and Engine Dispatch 24.11.192

Released 2025-12-10

Bug Fixes

  • Expose actual numeric values for SCORM 2004 3rd Edition real interaction responses instead of the literal string "real".
  • [.NET] - Fixes concurrent launch detection page.
  • [Java] - Redact oracle database connection strings correctly.

Improvements

  • By default, disable TinCan content API - only known to be used by certain very outdated content.
  • [Media] - Bump Video.js to version 8.23.4.
  • [LTI13] - When Engine is configured as an LTI 1.3 tool, the accept header value on http requests to an LTI platform's access token url has been changed from the wildcard "/" to "application/json".
  • [Upgrade] - Audit the actual, existing schema before upgrading.
  • [Upgrade] - Preemptively remove orphaned xAPI documents.
  • [Upgrade] - Record the schema version only after other critical steps finish.

 

Engine and Engine Dispatch 24.10.175

Released 2025-11-18

Improvements

  • Engine's API now accepts RS256 JWTs as an authorization header and will accept or reject the request based on the validity of the JWTs. See the new settings, TenantApiRs256Auth and SystemApiRs256Auth
  • Introduces support for JWTs as an option for authenticating xAPI requests. These tokens are validated similarly to tokens for Engine's API - with a few xAPI specific considerations

 

Engine and Engine Dispatch 24.9.173

Released 2025-10-31

Bug Fixes

  • Fixes 401 on state requests from xAPI courses when "tracking=false".
  • The V2 API's GetCourseZip endpoint will now work for AICC stub packages.
  • Fixes error when using "on-demand xAPI registrations" feature that occurs when UseGuidAsObjectId is enabled.
  • [Java] Resolves duplicate metrics
  • [Java] - Fixes 404 error when using "pt-br" language code.
  • [LTI] - Fixes an improper authentication failure that would occur when attempting to send line items to an Engine tenant that had ApiTokenSecrets configured at both the system and tenant level.

Improvements

  • Improved recovery after bad SCORM exits.
  • Adds "TenantDatabaseSchema" configuration setting to better support database-per-tenant architectures. Previously, one could only specify a single "DatabaseSchema" across multiple tenants. 
  • Environment/vault replacements now apply to subscription auth configurations.
  • Adds "ShouldNewCourseVersionInheritSettings" setting to control whether Engine migrates the previous course version's settings to the new version or simply let the new version use defaults.
  • Added optional "EngineHostAllowList" setting to protect from spoofed proxy headers
  • RS256 JWTs can now be specified and configured as a subscription authentication option. If specified and configured, subscriptions can now send RS256 JWTs as their authorization headers. Created JWTs are cached and reused if they are not considered expired
  • [Java] - Improved error handling for background processors.
  • [Media] - Media Courses now track media type via the new "mediaType" property located on the courseSchema.
  • [Media] - Introduces the "MediaContentDurationMode" setting to provide the option to change the manner in which duration is tracked for a registration during media content.
  • [Upgrade] - Optional FromMajorVersion fallback setting to specify the schema version from which one is upgrading.

Engine and Engine Dispatch 24.8.143

Released 2025-09-03

Bug Fixes

  • Resolves startup failure when using an environment variable for an encryption setting.
  • [Java] - Additional fixes for updating course asset files stored on AWS S3.
  • [LTI 1.3] - Removed unnecessary validation of the subject identifier claim from tool-originating LtiDeepLinkingResponse messages.
  • [Upgrade] - Fixes potential row count processing logging and avoids additional unnecessary processing when using the SkippedPhases setting.
  • [Upgrade] - Installations that ran Engine 23 versions prior to v23.8.108 will now be able to to upgrade to Engine 24.
  • [Upgrade] - During phase 3 of a phased upgrade, avoid miscounting the number of "actual" versus "ideal" indexes during the "Schema Audit" sub-phase.

Improvements

  • Obfuscate registration_usage_id in the UsageStatistics DB table when PII deletion job is started.
  • Subscription authentication requests now have "additionalProperties" to hold nonstandard values.
  • [Media] - Introduces the MediaContentStatementMode setting to provide the option to reduce the quantity of xAPI statements generated from media content.

  • [Java] - updated bouncycastle libraries to resolve unconstrained resource usage vulnerability CVE-2025-8916.

Engine and Engine Dispatch 24.7.122

Released 2025-07-25
 

Improvements

  • Allow scoped configuration replacement tokens such as ${TenantName} to be used inside of "key lookup" setting tokens such as Environment variables and Vault.

  • Requests for a launch link with launch-scoped settings will now fail with a 400 error when ApiUseSignedLaunchLinks is false


Engine and Engine Dispatch 24.6.120

Released 2025-07-23

Bug Fixes

  • Engine no longer errors when processing a statement with no timestamp while "UseStatementTimestampInRegistrationUpdates" is enabled.
  • Fixes broken concurrent launch detection for SCORM courses when UseDeltaRecordResultsPayload is enabled.
  • Subscription filters with empty strings can no longer be created.
  • [LTI] - Resolves "invalid tenant" error when an LTI 1.3 Tool requests Engine's /token endpoint from a system-level content connector. The error only occurs in Engine environments with a deactivated "default" tenant.
  • [LTI] - URL encode contextId when included as a context property in ltiMetadata for LTI connectorReferenceRequest imports to prevent context ID validation errors when the context ID contains invalid URL characters.
  • [LTI] - Launches should no longer attempt to incorrectly set cookies with empty path.
  • [SqlServer] - Fixes "activity not found" error and "fatal error" popup when updating registrations at course runtime. Impacts databases installed with GUIDs as internal database IDs against SqlServer.
  • [Upgrade] - Fixes upgrading version 0.9x TinCan content properly.
  • [Upgrade] - Protects against rare "String lengths don't match" error during the xAPI documents migration.
  • [Upgrade] - improved statement equivalence check to avoid duplicate statement error during upgrade.

Improvements

  • [NET] - Add a new configuration setting "AdditionalAssembliesToLoad" that specifies a comma separated list of additional .NET assemblies that need to be loaded to support custom software configurations.

  • On relaunch of a SCORM 2004 course, attempt to recover from an inconsistent state caused by a bad exit (prevents loss of bookmarking and suspend data).
  • To avoid future tenant ID collisions, a DELETE call to /appManagement/tenants/{tenantName} does not delete the tenant record from the EngineTenant database table. Instead, the request renames the tenant using the prefix _!|DELETED!|_, which internally designates it as a deleted tenant.
  • When "PlayerScoLaunchType" is set to "NEW_WINDOW_AFTER_CLICK", the "Click Here to Launch Course" link is now accessible via tabbing.
  • Introduces experimental "X_S3MaxConcurrency" setting to cap the maximum number of concurrent connections during a transfer with Amazon S3.
  • [Java] - Updated AWS Java SDK from version 2.25.7 (released 3/11/2024) to version 2.31.37 (released 5/7/2025).

  • [Java] - Bumps Apache Commons FileUpload from version 1.5 to 1.6.0 to resolve CVE-2025-48976.

  • [Java] - Bumps the esapi dependency from 2.5.3.1 to 2.7.0.0 for CVE-2025-5878.

Dispatch Bug Fixes

  • [LTI] - More robust logging if line item creation fails.
  • [LTI] - Addresses a failure to correctly read form parameters during the launch of an LTI 1.1 course when .NET Engine is the tool provider.

Dispatch Improvements

  • [LTI] - Include a more detailed description of the cause of an error in the alert to the user when an LTI 1.1 tool consumer (platform) returns an error response to a basic outcomes request from the tool provider (external tool).

Engine and Engine Dispatch 24.5.81

Released 2025-06-23

Bug Fixes

  • Engine no longer errors when using UseStatementTimestampInRegistrationUpdates and a statement is missing a timestamp.
  • Fixes broken concurrent launch detection for SCORM courses when UseDeltaRecordResultsPayload is enabled.
  • [MS SQL Server] - Fixes "activity not found" error and "fatal error" popup when updating registrations at course runtime when UseGuidAsObjectId is set to 'true' and the database is MS SQL Server.
  • [Upgrade] - Handle upgrading version 0.9x TinCan content properly.

Improvements

  • Introduces experimental "X_S3MaxConcurrency" setting to cap the maximum number of concurrent connections during a transfer with Amazon S3.

Engine and Engine Dispatch 24.4.81

Released 2025-06-05

Improvements

  • Introduces experimental "X_S3MaxConcurrency" setting to cap the maximum number of concurrent connections during a transfer with Amazon S3.
  • [Java] - Updated AWS Java SDK from version 2.25.7 to version 2.31.37.

Bug Fixes

  • When forwarding xAPI statements through statement pipes, the "X-Experience-API-Version" header will be set to version 1.0.3 rather than the latest available version.
  • Resolves long-running request to GetCourseFileList when the files are stored on Amazon S3.
  • Courses with invalid IDs can now be deleted properly.
  • Fixes broken concurrent launch detection for SCORM courses when UseDeltaRecordResultsPayload is enabled.
  • Handle upgrading version 0.9x TinCan content properly
  • Engine no longer errors when using UseStatementTimestampInRegistrationUpdates and a statement is missing a timestamp.
  • [LTI] - Fixes "invalid tenant" error from a system-level content connector's JWKS endpoint when the "default" tenant is deactivated.
  • [.NET] Fixes initialization error when launching with PlayerLaunchType set to "NEW_WINDOW" while popups are blocked.
  • [.NET] - Resolves SQLServer connector and optional assembly loading during application initialization.
  • [.NET] - Fix handling of empty Query parameters in API calls.
  • [.NET] - Fixes error using a launch link containing launch-scoped settings.
  • [SqlServer] - Fixes "activity not found" error when querying registration progress for Engine databases installed with GUID as internal database IDs.
  • [SqlServer] - Fixes "activity not found" error and "fatal error" popup when updating registrations at course runtime when UseGuidAsObjectId is set to 'true' and the database is MS SQL Server.
  • [Upgrade] - Fixes issue with the migration of xAPI state documents that are updated while in the process of a phased upgrade.

Engine and Engine Dispatch 24.3.52

Released 2025-05-15

 

Improvements

  • Avoid excessive, verbose tracking of volume changes during media content runtime.
  • The V2 API's GetUserCount response now includes usage from deactivated tenants.
  • Media courses no longer track progress in cmi5 review mode.
  • [Java] - Bump commons-dbcp2 dependency from 2.9.0 to 2.13.0.
  • [Upgrade/Install] - Use more generic, MariaDB-friendly syntax when creating new xAPI tables.
  • [Upgrade/Install] - Support online indexing for PostgreSql.

Bug Fixes

  • Fixes incorrectly formatted Last-Modified header on /statements and /state LRS requests.
  • Properly encodes spaces and percent signs when generating SCORM-to-tincan interaction IDs.
  • Properly encodes spaces and percent signs when generating SCORM-to-tincan interaction IDs.
  • Fixes import error when importing cmi5 packages with more than 1000 AUs.
  • For legacy integration customers making V2 API requests, prevents an endpoint's query parameter string from being included in the PersistToStringUnencrypted and ParseFromDictionary methods' dictionary.
  • [.NET] - Removes bad Content-Encoding header values for PlayerConfiguration response.
  • [.NET] - Fixes missing param type "VARCHAR" error when operating against MySQL.
  • [.NET] - Launch-scoped settings will no longer be ignored
  • [Upgrade/Install] - Fixes duplicate schema prefix for some database operations against PostgreSQL.
  • [Upgrade/Install] - To avoid data loss during xAPI migration, batch records by update date and the table's primary key rather than just the table's primary key.
  • [Upgrade/Install] - Fixes inaccurate 'processing row' count logging during upgrade.

Dispatch Improvements

  • [LTI] - During OIDC initialization, Engine's "externalConfig" can be sent as a query parameter or as part of the request path.
  • [LTI] - Include a line item with content items in Engine's deep linking response when a platform includes the "accept_lineitem" property as "true" in its deep linking request message.
  • [LTI] - Introduces new "DispatchOverridePlatformAcceptLineItemMode" setting to override the default deep linking response behavior and include a line item even when the platform does not set "accept_lineitem".
  • [LTI] - Added support for multiple LTI tool deployments for a single destination. A single destination may be configured with a comma-separated list of multiple deploymentIds that will share the same destination configuration, including client_id and public key.
  • [LTI] - More secure LTI logging.
  • [LTI] - When Lti13PostMessageOIDCLoginEnabled is enabled, OpenID Connect Login will use LTI Client Side postMessages to complete LTI authorization between a platform and a tool.

Dispatch Bug Fixes

  • [.NET] - Fixes inability to dispatch content to the cmi5 standard.
  • [.NET] - Fixes "System.InvalidCastException" when using Engine as a deep linking tool.


Engine and Engine Dispatch 24.2.11

Released 2025-04-25

Bug Fixes

  • [.NET 8 only] - Fixes duplicated "Content-Type" header values in PlayerConfiguration responses.
  • [.NET only] - Fixes initialization error when launching with PlayerLaunchType set to "NEW_WINDOW" while popups are blocked.
  • Fixes dependency error when running of RusticiEngine under dotnet for non Engine+Dispatch distributions.

Engine and Engine Dispatch 24

Released 2025-03-07

This is the first release of Engine 24. Here's what's new:

LTI improvements

  • Deep linking from LTI 1.3 tools: Engine now allows importing content from LTI 1.3 tools into Engine.
  • Support LTI OIDC Login with LTI Client Side postMessages for both the Engine LTI 1.3 plugin (Engine as a platform) and for Engine Dispatch (Engine as a tool)
    • If Lti13PostMessageOIDCLoginEnabled is set, LTI Client Side postMessages will be used for LTI 1.3 OIDC Login when cookies aren't available
    • The new tenant setting LtiStorageTarget indicates the platform supports this launch flow and specifies the name of the target frame on the platform browser to which to send postMessages. This setting is _parent by default.
  • When creating an LTI 1.3 connector, the field toolJWKSUrl can be specified instead of the field toolPublicKey
  • Engine's API now provides the ability to create valid LTI 1.3 tokens with arbitrary claims, to make it easier to use any LTI feature Engine does not yet support by relying on Engine's configuration to be used when creating the message. 

Client-Side Player API

It is common for LMS UIs to show a green checkmark or “Next” button, or have some other visible indication when a learner completes a course. It’s also common to want to show a loading screen while a course is launching, or to trigger a clean exit of the player from a button in LMS’s UI. In Engine 24, our player can use postMessage to notify the parent frame or window when content is loaded, when the player exits, and (for SCORM content only) when the registration’s status changes. The LMS’s UI can also use postMessage to notify the player that it should exit, providing it with an opportunity to save the learner’s progress before unloading.

 

.NET 8

.NET Engine now uses .NET 8 instead of the old .NET Framework.

The .NET Framework that Engine used prior to 24.1 is still supported by Microsoft, but has been superseded by the newer .NET platform (formerly .NET Core), and third-party .NET Framework components are largely unmaintained. Many of our .NET Engine customers have already upgraded, but have had to retain support for .NET Framework in their environment specifically for Engine. This upgrade improves security and brings Engine more in line with their applications.

Note: this is a breaking change, Engine will no longer work with .NET Framework

 

Jakarta EE (Tomcat 10 and above)

Engine now uses Jakarta EE (Tomcat 10 or above) instead of Java EE

This is something we have to do in order to stay up to date with where the Java development community is heading. For most customers, the impact is they will now be able to (and need to) switch to a newer version of Tomcat.

Note: this is a breaking change, Engine will no longer run on a Java EE servlet container (such as Tomcat 9)

 

Known Issues (which we are working on)

  • [.NET Only] launch-scoped settings can be created but will be ignored, with no message indicating they are ignored
     
  • Upgrade will not work for installations that were first upgraded to Engine 23 on minor release 23.1 through 23.7

Note: There are a number of potentially breaking changes in Engine 24. If you are upgrading from an older Engine please check out this document for details on those.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request