Released 2026-07-07
Bug Fixes
- [Java] - Resolves error when creating subscriptions with filters. Applies to Engine instances running with "UseGuidAsObjectId" as "true".
Improvements
- Dispatch registrations can now be filtered from notifications by using an empty string filter (i.e., the following regex:
/^$/). - Configurable "time-to-first-byte" response timeout for package and asset imports.
- Bumped Jackson Databind version for medium/high CVE issues CVE-2026-54512, CVE-2026-54513, and CVE-2026-54514.
- [LTI 1.3; AGS] - Introduces setting "Lti13AGSAccessTokenScopesUseSpaceDelimiter". If 'true', the Engine Platform's OAuth2 'Access Token' endpoint (to grant Assignment and Grade Services access to the Tool) will respond with correctly-specced space-delimited scopes instead of comma-delimited scopes.
- [LTI 1.3] - Addition of registration-level launch setting "Lti13AdditionalIdTokenClaims" that allows Engine's LTI 1.3 platform-originating authentication ID token to be amended with additional/arbitrary LTI claims. Any claims may be added (spec-defined or otherwise) provided they do not overwrite any claims already set by the platform. Child keys may be added to existing object claims when not already present. Existing nested keys are never overwritten. Setting value may be configured at any level including per-launch via launch settings.
- [Upgrade] - xAPI statements migration takes advantage of multi-threading by default.