Cloud
Data Center 10.1
Versions

Confluence 10.0 release notes

Confluence Release Notes

On this page

In this section

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

5 August 2025
We're excited to present Confluence 10.0

Highlights

 

Get the latest version

This Confluence release supports only Data Center licenses. If you have a Server license, check out your options for upgrading.



More

Read the upgrade notes for important info about this release and see the full list of issues resolved.  


Thanks for your feedback

More than 306 votes satisfied!

Spring and Jakarta upgrade 

For: ADMINS

To maintain high security standards and keep dependencies supported and up to date, we’re upgrading Spring to the 6.x line, Jakarta to EE Platform 10, Apache Tomcat to 10.1 as well as other libraries that depend on Spring and Jakarta.

The Apache Tomcat upgrade also introduces changes under the Jakarta Servlet specification. If you rely on custom server settings or connectors, review the following before upgrading:

  • Check custom server.xml configurations, especially any references to "javax.servlet" APIs. Tomcat 10.1 has migrated to the "jakarta.servlet" namespace.
  • Verify that any connectors (HTTP, AJP, etc.) are still supported and properly configured in Tomcat 10.1.
  • Confirm that any security or TLS/SSL settings are compatible with Tomcat 10.1’s default cryptographic protocols.

For detailed information on the changes introduced in Tomcat 10.1, consult the official Apache Tomcat documentation.

Removal of deprecated components in AUI 10

For: ADMINS

We’re removing some outdated AUI 10 components with design and accessibility issues (Dropdown 1 and Toolbar 1) and updating internal dependencies to better support jQuery 3 and proactively address security issues.

End of support for LESS

For: ADMINS

To enhance security and performance, we’re removing the ability to transform LESS to CSS at runtime and requiring it to be transpiled into CSS at compile time.

Removal of Trusted apps

For: ADMINS

Trusted apps won't be available starting from Confluence 10.0. We’re removing Trusted apps to reduce the number of insecure entry points into the products. We’ve replaced this way of exchanging information between Atlassian products with more secure solutions that follow industry best practices, like the OAuth 2.0 protocol.

End of support for the Original theme

For: ADMINS

With the new light and dark themes that brought accessibility and usability improvements, we’re removing the original theme from all products.

Global serialization filter

For: ADMINS

We’re implementing a global serialization filter that relies on a central blocklist for Java deserialization, Velocity, Struts, and XStream. This filter is designed to block specific classes and patterns that are recognized as vulnerable to Remote Code Execution (RCE) through publicly known gadget chains.

We’ve implemented several important changes regarding the use of XStream:

  1. XStream now includes a predefined blocklist of known vulnerable classes that are prohibited from being serialized or deserialized.
  2. If there is a need to serialize or deserialize custom class types, apps must define these types in their module descriptor. For example:
    <xstream-security key="xstream-allowlist" name="XStream allow-list set">
        <type>java.util.Map</type>
</xstream-security>
  3. The option to allow types through regular expressions has been removed.
List of blocked classes and patterns 
== Blocked Classes ==
# This is a list of blocked classes by fully qualified class name.
br.com.anteros.dbcp.AnterosDBCPDataSource
br.com.anteros.dbcp.AnterosDBCPConfig
bsh.Interpreter
ch.qos.logback.core.db.DriverManagerConnectionSource
ch.qos.logback.core.db.JNDIConnectionSource
clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a
clojure.lang.PersistentArrayMap
com.caucho.config.types.ResourceRef
com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig
com.mysql.cj.jdbc.admin.MiniAdmin
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource
com.nqadmin.rowset.JdbcRowSetImpl
com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
com.p6spy.engine.spy.P6DataSource
com.pastdev.httpcomponents.configuration.JndiConfiguration
com.sun.corba.se.impl.activation.ServerTableEntry
com.sun.deploy.security.ruleset.DRSHelper
com.sun.jndi.ldap.LdapAttribute
com.sun.org.apache.bcel.internal.util.ClassLoader
com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
com.sun.rowset.JdbcRowSetImpl
com.sun.syndication.feed.impl.ObjectBean
com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator
com.vaadin.data.util.NestedMethodProperty
com.vaadin.data.util.PropertysetItem
com.zaxxer.hikari.HikariConfig
com.zaxxer.hikari.HikariDataSource
flex.messaging.io.amf.ActionMessage
flex.messaging.io.amf.MessageHeader
flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor
java.nio.channels.Channel
java.beans.EventHandler
java.io.InputStream
java.lang.ProcessBuilder
java.lang.reflect.Proxy
java.rmi.registry.Registry
java.rmi.server.ObjID
java.rmi.server.RemoteObjectInvocationHandler
java.rmi.server.UnicastRemoteObject
java.util.PriorityQueue
java.util.logging.FileHandler
javax.activation.DataSource
javax.imageio.ImageIO$ContainsFilter
javax.management.MBeanServerInvocationHandler
javax.management.openmbean.CompositeDataInvocationHandler
javax.sql.rowset.BaseRowSet
javax.swing.JEditorPane
javax.swing.JTextPane
javax.xml.transform.Templates
jdk.nashorn.internal.objects.NativeString
jodd.db.connection.DataSourceConnectionProvider
net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup
net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup
net.sf.ehcache.transaction.manager.selector.GenericJndiSelector
net.sf.ehcache.transaction.manager.selector.GlassfishSelector
oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
oadd.org.apache.commons.dbcp.datasources.PerUserPoolDataSource
oadd.org.apache.commons.dbcp.datasources.SharedPoolDataSource
oadd.org.apache.xalan.lib.sql.JNDIConnectionPool
oracle.jdbc.connector.OracleManagedConnectionFactory
oracle.jdbc.rowset.OracleJDBCRowSet
oracle.jms.AQjmsQueueConnectionFactory
oracle.jms.AQjmsTopicConnectionFactory
oracle.jms.AQjmsXAConnectionFactory
oracle.jms.AQjmsXAQueueConnectionFactory
oracle.jms.AQjmsXATopicConnectionFactory
org.aoju.bus.proxy.provider.RmiProvider
org.aoju.bus.proxy.provider.remoting.RmiProvider
org.apache.activemq.ActiveMQConnectionFactory
org.apache.activemq.ActiveMQXAConnectionFactory
org.apache.activemq.jms.pool.JcaPooledConnectionFactory
org.apache.activemq.jms.pool.XaPooledConnectionFactory
org.apache.activemq.pool.JcaPooledConnectionFactory
org.apache.activemq.pool.PooledConnectionFactory
org.apache.activemq.pool.XaPooledConnectionFactory
org.apache.activemq.spring.ActiveMQConnectionFactory
org.apache.activemq.spring.ActiveMQXAConnectionFactory
org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory
org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory
org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl
org.apache.axis2.transport.jms.JMSOutTransportInfo
org.apache.click.control.Column$ColumnComparator
org.apache.commons.beanutils.BeanComparator
org.apache.commons.collections.comparators.ComparableComparator
org.apache.commons.collections.comparators.TransformingComparator
org.apache.commons.collections.functors.ChainedTransformer
org.apache.commons.collections.functors.ConstantTransformer
org.apache.commons.collections.functors.InstantiateTransformer
org.apache.commons.collections.functors.InvokerTransformer
org.apache.commons.collections.map.LazyMap
org.apache.commons.collections4.comparators.TransformingComparator
org.apache.commons.collections4.functors.ChainedTransformer
org.apache.commons.collections4.functors.ConstantTransformer
org.apache.commons.collections4.functors.InstantiateTransformer
org.apache.commons.collections4.functors.InvokerTransformer
org.apache.commons.configuration.ConfigurationMap
org.apache.commons.configuration.JNDIConfiguration
org.apache.commons.configuration2.JNDIConfiguration
org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
org.apache.commons.dbcp.datasources.PerUserPoolDataSource
org.apache.commons.dbcp.datasources.SharedPoolDataSource
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS
org.apache.commons.dbcp2.datasources.PerUserPoolDataSource
org.apache.commons.dbcp2.datasources.SharedPoolDataSource
org.apache.commons.fileupload.disk.DiskFileItem
org.apache.commons.jelly.impl.Embedded
org.apache.commons.proxy.provider.remoting.RmiProvider
org.apache.cxf.jaxrs.provider.XSLTJaxbProvider
org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig
org.apache.ibatis.datasource.jndi.JndiDataSourceFactory
org.apache.ibatis.parsing.XPathParser
org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory
org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup
org.apache.log4j.receivers.db.DriverManagerConnectionSource
org.apache.log4j.receivers.db.JNDIConnectionSource
org.apache.myfaces.context.servlet.FacesContextImpl
org.apache.myfaces.context.servlet.FacesContextImplBase
org.apache.myfaces.el.CompositeELResolver
org.apache.myfaces.el.unified.FacesELContext
org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression
org.apache.openjpa.ee.JNDIManagedRuntime
org.apache.openjpa.ee.RegistryManagedRuntime
org.apache.openjpa.ee.WASRegistryManagedRuntime
org.apache.shiro.jndi.JndiObjectFactory
org.apache.shiro.realm.jndi.JndiRealmFactory
org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
org.apache.tomcat.dbcp.dbcp2.BasicDataSource
org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS
org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource
org.apache.wicket.util.upload.DiskFileItem
org.apache.xalan.lib.sql.JNDIConnectionPool
org.apache.xalan.xsltc.trax.TemplatesImpl
org.apache.xbean.propertyeditor.JndiConverter
org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl
org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap
org.codehaus.groovy.runtime.ConvertedClosure
org.codehaus.groovy.runtime.MethodClosure
org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool
org.hibernate.engine.spi.TypedValue
org.hibernate.jmx.StatisticsService
org.hibernate.tuple.component.AbstractComponentTuplizer
org.hibernate.tuple.component.PojoComponentTuplizer
org.jboss.interceptor.builder.InterceptionModelBuilder
org.jboss.interceptor.builder.MethodReference
org.jboss.interceptor.proxy.DefaultInvocationContextFactory
org.jboss.interceptor.proxy.InterceptorMethodHandler
org.jboss.interceptor.reader.ClassMetadataInterceptorReference
org.jboss.interceptor.reader.DefaultMethodMetadata
org.jboss.interceptor.reader.ReflectiveClassMetadata
org.jboss.interceptor.reader.SimpleInterceptorMetadata
org.jboss.interceptor.spi.instance.InterceptorInstantiator
org.jboss.interceptor.spi.metadata.InterceptorReference
org.jboss.interceptor.spi.metadata.MethodMetadata
org.jboss.interceptor.spi.model.InterceptionModel
org.jboss.interceptor.spi.model.InterceptionType
org.jboss.util.propertyeditor.DocumentEditor
org.jboss.weld.interceptor.builder.InterceptionModelBuilder
org.jboss.weld.interceptor.builder.MethodReference
org.jboss.weld.interceptor.proxy.DefaultInvocationContextFactory
org.jboss.weld.interceptor.proxy.InterceptorMethodHandler
org.jboss.weld.interceptor.reader.ClassMetadataInterceptorReference
org.jboss.weld.interceptor.reader.DefaultMethodMetadata
org.jboss.weld.interceptor.reader.ReflectiveClassMetadata
org.jboss.weld.interceptor.reader.SimpleInterceptorMetadata
org.jboss.weld.interceptor.spi.instance.InterceptorInstantiator
org.jboss.weld.interceptor.spi.metadata.InterceptorReference
org.jboss.weld.interceptor.spi.metadata.MethodMetadata
org.jboss.weld.interceptor.spi.model.InterceptionModel
org.jboss.weld.interceptor.spi.model.InterceptionType
org.jdom.transform.XSLTransformer
org.jdom2.transform.XSLTransformer
org.jsecurity.realm.jndi.JndiRealmFactory
org.mozilla.javascript.NativeJavaObject
org.mozilla.javascript.NativeJavaArray
org.python.core.PyBytecode
org.python.core.PyFunction
org.python.core.PyObject
org.quartz.utils.JNDIConnectionProvider
org.reflections.Reflections
org.slf4j.ext.EventData
org.springframework.aop.config.MethodLocatingFactoryBean
org.springframework.aop.framework.AdvisedSupport
org.springframework.aop.framework.JdkDynamicAopProxy
org.springframework.aop.target.SingletonTargetSource
org.springframework.beans.factory.ObjectFactory
org.springframework.beans.factory.config.BeanReferenceFactoryBean
org.springframework.beans.factory.config.PropertyPathFactoryBean
org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider
org.springframework.core.SerializableTypeWrapper$TypeProvider
sun.awt.datatransfer.DataTransferer$IndexOrderComparator
sun.swing.SwingLazyValue

== Blocked Patterns ==
# This is a list of blocked patterns for class names and parent classes (optional).

=== pattern 1 ===
regexes= ^org\\.springframework\\..*
parentClasses= "AbstractPointcutAdvisor", "AbstractApplicationContext"
=== pattern 2 ===
regexes= ^com\\.mchange\\.v2\\.c3p0\\..*DataSource$
=== pattern 3 ===
regexes= ^com\\.zaxxer\\.hikari\\..*
=== pattern 4 ===
regexes= ^org\\.springframework\\..*Manager$
=== pattern 5 ===
regexes= ^org\\.mozilla\\.javascript\\..*
=== pattern 6 ===
regexes= .*\\$LazyIterator
.*\\.Lazy(?:Search)?Enumeration.*
.*\\$GetterSetterReflection
.*\\$PrivilegedGetter
(?:java|sun)\\.rmi\\..*
javax\\.crypto\\.(?!spec\\.SecretKeySpec$|SealedObject$|SecretKey$).*
.*\\$ServiceNameIterator
javafx\\.collections\\.ObservableList\\$.*
.*\\.bcel\\..*\\.util\\.ClassLoader
=== pattern 7 ===
regexes= sun\\.reflect\\..*
sun\\.tracing\\..*
com\\.sun\\.corba\\..*
.*\\.ws\\.client\\.sei\\..*
.*\\$ProxyLazyValue
com\\.sun\\.jndi\\..*Enumerat(?:ion|or)
.*\\$URLData
.*\\.xsltc\\.trax\\.TemplatesImpl
(javax|sun.swing)\\..*LazyValue

== Jira Exceptions ==
=== Class Names ===
java.lang.reflect.Proxy
java.rmi.server.RemoteObjectInvocationHandler
=== Patterns ===
regexes= "(?:java|sun)\\.rmi\\..*"



App signing is now enabled by default for app installations

For: ADMINS

In this release, app signing is enabled by default. This feature improves app security and was gradually rolled out across Data Center products. For details, check out this community post.

App signing affects only new app installations; already installed apps will remain intact.

The steps you need to take differ depending on whether you install applications from the Marketplace or build your custom applications.

Install apps from the Marketplace

To do so:

  1. Configure the location of the truststore folder as described in Configuring UPM app signature check.
  2. Download and install the Atlassian Certificates bundle. For details, see Updating Atlassian Certificate Bundles.
  3. That’s it! Enjoy the safe app installations from the Marketplace.

Install custom apps

If you use custom application builds, you can sign and secure your apps:

  1. Configure the location of the truststore folder as described in Configuring UPM app signature check.
  2. Get the app signature and verification certificate as described in Generating app signature and verification certificate using OpenSSL.
  3. Put your new certificate in your trust store as described in Updating Atlassian Certificate Bundles.
  4. Install the signed application.

You can also install the app via the file system without using the app signing feature.

If you’re experiencing issues, check out App signing troubleshooting.

Enhanced security with Content Security Policy

For: ADMINS

We're implementing Content Security Policy (CSP) in Confluence 10.0. This new feature enhances security by instructing your web browser on what content is allowed to run on the page, significantly reducing the risk of cross-site scripting (XSS) and other code injection attacks. By controlling which resources a document can load, CSP helps protect against data exfiltration and improves the overall stability and reliability of Confluence.

In Confluence 10.0, the script-src CSP header is enabled in a report-only mode. This means that while the system logs any violations, it won't block resources, allowing us to monitor potential security issues without affecting your experience. Full enforcement of CSP will be introduced in Confluence 11.

Basic authentication disabled by default

For: ADMINS

We’re disabling authentication with basic authentication by default. This is a first step towards the removal of basic authentication altogether as we develop and mature alternatives to support the remaining few use cases. This change impacts only fresh installs (new customers); existing or upgraded Confluence setups won’t be affected.

Monitoring and observability of the Synchrony process

For: ADMINS

We're pleased to announce the launch of enhanced monitoring capabilities for the Synchrony component in Confluence. With this update, you can now monitor Synchrony processes more effectively, ensuring system reliability and quick problem resolution. This update will allow you to export core Java Virtual Machine (JVM) and Synchrony-specific metrics via JMX or statsD, facilitating better integration with your existing monitoring systems.

Core JVM metrics include various performance indicators such as garbage collection, memory usage, and CPU utilization. These metrics provide insights into the overall health and performance of the JVM environment.

Synchrony-specific metrics focus on the performance of the Synchrony process itself. They include message processing times, user activity, and error counts, helping you monitor and optimize the collaborative editing experience.

For details on metrics, refer to Monitor and observe the Synchrony process.

To configure monitoring, use system properties or environmental variables. If Synchrony is managed by Confluence, add these properties to the synchrony-args.properties file. For detailed configuration instructions, refer to Configuring Synchrony.

Add scopes to REST endpoints to use OAuth 2.0 2LO

For: ADMINS

We’ve introduced @ScopesAllowed to improve security and control over REST endpoints.

Add the @ScopesAllowed annotation to your endpoints to make them accessible using an OAuth 2.0 Client Credentials token (2LO).

For example, this annotation requires that the access token has the WRITE scope before providing access to this endpoint.

@POST
@ScopesAllowed(requiredScope = "WRITE")
public void createEntity(...) {}

Supported scopes are documented here:

Control how many labels display in macros

For: ADMINS END USERS

You can set the number of labels shown in the Label List, Recently Used Labels, and Popular Labels macros using the Number of Labels to Display field. 

When searching for labels to display in a macro, Confluence processes up to 1,000,000 labels by default. Admins can change this limit by adding a system property to the configuration file. Raising the limit helps if your site has many labels and searches aren’t returning all results, but it may slow down performance. 

For detailed instructions and applicable macros, check Display Pages with Label Macros.

OpenSearch for Confluence Data Center

As your Confluence site grows, you need a search that keeps up with your team’s pace. That’s why Confluence Data Center now offers OpenSearch as an opt-in alternative to the default Lucene search platform. We recommend switching to OpenSearch because it offers performance, scalability, and reliability improvements over Lucene.

We’re sharing a guide that explains the benefits of using OpenSearch as an alternative to the default Lucene search platform in Confluence Data Center. It includes:

  • Key differences between OpenSearch and Lucene

  • Benchmark results that show OpenSearch delivers faster search and better scalability

  • Guidance on when and why to switch, with further configuration steps

Explore the full documentation for more details and performance test results

Resolved issues

For full details of bugs fixed and suggestions resolved, head to our public issues tracker on Jira.

Issues resolved in 10.0.3

Released on 03 September 2025

Key Summary T Created Updated Due Assignee Reporter P Status Resolution
Refresh

Issues resolved in 10.0.2

Released on 07 August 2025

Key Summary T Created Updated Due Assignee Reporter P Status Resolution
Refresh

Issues resolved in 10.0.1

Released on 05 August 2025

Key Summary T Created Updated Due Assignee Reporter P Status Resolution
Refresh

Get ready to upgrade

Before you upgrade, check out the Confluence 10.0 upgrade notes for important changes in this release, then follow the usual upgrade instructions to upgrade your site.

tip/resting Created with Sketch.

Been a while since your last upgrade? Check out our upgrade matrix for a bird's-eye view of the most important changes since Confluence 9.2 LTS.

Don't forget to renew your software maintenance. Renew now

The minimum supported version for this release is 7.12 LTS. If you’re upgrading from a lower version, first perform an interim upgrade to 7.19 LTS or higher, and then upgrade to 10.0. For details, refer to Upgrading Confluence.


Credits

Our wonderful customers... 

You play an important role in making Confluence better. Thanks to everyone who participated in interviews with us, made suggestions, voted, and reported bugs!

Last modified on Oct 14, 2025

Was this helpful?

Yes
No
Provide feedback about this article

In this section

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.