Using Qlik-CLI to export an app without the '--exportScope all' parameter fails with the error:

Error: 400 - Bad Request - Qlik Sense

This is observed after an upgrade to Qlik Sense Enterprise on Windows November 2024 patch 10 or any later version. The error is intermittent and the export may succeed if executed several times.

Reviewing the output shows Status: 201 Created, followed by the error after retrieving the app from the temporary download path:

> qlik qrs app export create "dbb1841d-f3f6-4a49-b73f-0a24cc003b1b" --exportScope all --output-file "C:/temp/App3.qvf" --insecure --verbose
Insecure flag set, server certificate will not be verified
POST https://sense/jwt/qrs/app/dbb1841d-f3f6-4a49-b73f-0a24cc003b1b/export/e237e6c8-d367-45d3-9eff-9f191b3f1ef5?exportScope=all&xrfKey=4B21426C21AE6B85...
Status: 201 Created
{
"exportToken": "e237e6c8-d367-45d3-9eff-9f191b3f1ef5",
"appId": "dbb1841d-f3f6-4a49-b73f-0a24cc003b1b",
"downloadPath": "/tempcontent/f8deec7c-5ab4-4462-879b-38990febbd1b/Test.qvf?serverNodeId=ae6a7f27-1abd-439e-b4da-0a0b0f4a3e61",...
}
GET https://sense/jwt/tempcontent/f8deec7c-5ab4-4462-879b-38990febbd1b/Test.qvf?serverNodeId=ae6a7f27-1abd-439e-b4da-0a0b0f4a3e61&xrfKey=4B21426C21AE6B85...
Status: 400 Bad Request
400 - Bad Request - Qlik Sense
Error: 400 - Bad Request - Qlik Sense

Resolution

This is being investigated by Qlik as SUPPORT-3800.

Workaround

Delete the content of the cookie store ( ~/.qlik/.cookiestore) when the error occurs.

In Windows, this can be found in %USERPROFILE%\.qlik\.cookiestore

A batch job can be created to automate the deletion.

Cause

This is caused by an incorrect cookie handling by Qlik-CLI. While exporting the app, the responses include the Set-Cookie header, but qlik-cli fails to update the cookie store with the new cookie.

Environment

• Qlik Sense Enterprise on Windows

When passing parameters from postman to a talend services, tRestRequest component is receiving null response.

Resolution

Review the schema of the tRestRequest component to ensure the Comment field is appropriately assigned.  

In REST API Mapping section, by default, if you leave the Comment field empty, the parameter is considered as a Path parameter.

Cause

There are some parameters missing/misconfiguring in the Comment field of tRestRequest component and you need to define what type of parameter it is in the Comment field of the schema.

Below is a list of supported Comment values:

• empty or path corresponds to the default @PathParam,

• query corresponds to @QueryParam,

• form corresponds to @FormParam,

• header corresponds to @HeaderParam.

• matrix corresponds to @MatrixParam.

• multipart corresponds to the CXF specific @Multipart, representing the request body. It can be used only with POST and PUT HTTP methods.

Related Content 

https://help.qlik.com/talend/en-US/components/8.0/esb-rest/trestrequest

Environment

Talend Data Integration 

Question I

Which Apache Tomcat Versions are affected  by Apache Tomcat Vulnerability CVE-2025-24813 and the impact?

Apache Tomcat Vulnerability CVE-2025-24813 is Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet

Affected Apache Tomcat version

• From 11.0.0-M1 through 11.0.2
• From 10.1.0-M1 through 10.1.34
• From 9.0.0.M1 through 9.0.98

How Impact

The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by ".".

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

• Writes enabled for the default servlet (disabled by default)
• Support for partial PUT (enabled by default)
• A target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads>
• Attacker knowledge of the names of security sensitive files being uploaded>
• The security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

• Writes enabled for the default servlet (disabled by default)
• Support for partial PUT (enabled by default)
• Application was using Tomcat's file based session persistence with the default storage location
• Application included a library that may be leveraged in a deserialization attack

Question II
On which Apache Tomcat versions this Vulnerability is fixed and currently Talend Supported Apache Tomcat versions?

Vulnerability is fixed with the following Apache Tomcat versions

• 9.0.99 or later
• 10.1.35 or later
• 11.0.3 or later (not used by the Talend Product )

Talend Supported Apache Tomcat Versions 

Regarding of Talend Help Documentation: compatible-web-application-servers

• Tomcat 10.1.40 requires Talend R2025-05 monthly patch or later.
• Tomcat 10.1.42 and 10.1.43 require Talend R2025-06 monthly patch or later.

Related Content

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24813

Apache Tomcat Vulnerabilities

• https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.99 
• https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.35
• https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.3 

Environment

Talend Administration Center 

When attempting to build a set of items (jobs, routes, services, etc) from a parent project with a reference project, Maven and the P2 may only see the items in the parent. Additionally, there may be errors of certain items (child jobs, routines, etc) missing during different stages of the build; such as (but not limited to the following):

org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal on project <project_name>: Could not resolve dependencies for project org.example.<project_name>.job:<job_name>:jar:0.1.0: The following artifacts could not be resolved: org.example.<reference_project>.joblet:<joblet_name>:pom:0.1.0 (absent)

Resolution

When the YAML or Pipeline scripts being used with the orchestrator, Talend CICD may need to be modified, so that the parent and reference projects are checked out and copied into one folder. This process may depend on the orchestrator used (such as Jenkins/Cloudbees, Azure DevOps, Gitlab Actions, etc); for specific information, please check with your DevOps team for specific commands and process.

In short, the process should look similar to the following:

1. Check out repository/branch where the reference project is located.
2. Check out repository/branch where the parent project is located.
3. Copy the reference project folder into a new folder, usually within the same working directory.
4. Copy the parent project folder into the same folder as the reference project.
5. Delete/Clean the original checked out folders from the working directory.

Cause

Most YAML or Pipeline scripts are setup to pull and checkout from one repository/branch; however, if a Reference Project is being used, it does require that repository/branch also be pulled down. If the reference project is not copied into the same folder as the parent project, Maven/Talend may only see the parent project checked out without reference project.

Environment

• Talend Data Integration 
• Talend Studio 

A user can enable failure notifications for automations in their profile settings. Reference: Notifications

However, if the user is not the owner of an automation hosted in a shared space, they will not receive the expected notification.

Only the automation owner will be alerted.

This behaviour is different than the one for application reloads, where tenant admins and people with permissions on a shared space can also be notified.

Resolution

This is a current limitation.

To provide Qlik with input on this limitation and suggest changes, head to Qlik's ideation portal, which our product teams actively monitor.

Environment

• Qlik Automate
• Qlik Cloud

A user can enable failure notifications for automations in their profile settings. Reference: Notifications

However, despite the automation failing several times, only the original notification of the first failure is delivered.

Resolution

This is as designed.

Since automations can be run every 30 seconds, we want to avoid spamming the user with notifications. We therefore have a 6-hour window after a failure during which the user will not receive another alert.

Another can be sent after six hours. 

Qlik plans to reduce the window from 6 hours to 1 hour. No estimated time for this change is known yet.

Environment

• Qlik Automate
• Qlik Cloud

Qlik is updating the Qlik Talend Nexus repository. The changes will be rolled out in a phased approach.

The expected impact of Phase One (deployed July 16th) is:

Qlik Talend Studio: 

• Versions 7.2 to 8.0: No impact
• Versions 6.0.0 to 7.1.1: JAR files may no longer automatically download from Nexus

Qlik Talend Administration Center

• No impact

Resolution

For already installed Qlik Talend Studio instances:

• Missing JARs will be installed from the local Nexus as long as they are available. 
• If the missing JAR is not available on the local Nexus, a download dialog will be shown, prompting the user to set up the JAR manually.

Newly installed Qlik Talend Studio instances: 

Multiple options exist:

• Retrieve all JARs needed from the local Nexus (if available and set up)
• Copy .m2 of another Qlik Talend Studio instance and re-use it
• Manually download the JAR. The download dialog of the JAR will show a "...", allowing for manual setup. 
  
  Sometimes, the Download button for the required JARs may not show. 
  
  In those instances, select the JAR from the Current operation requests the following third party modules dialog:
  
  
  
  Alternatively, open the Window (A) menu, click Show View (B) and Modules (C), and select the JARs from the Modules View (D).
  
  
  
  
  

Environment

• Qlik Talend Studio
• Qlik Talend Administration Center

This article will be updated with additional information as the second phase is announced (estimated time not yet available).

Question

After upgrading Talend Administration Center (TAC) to TPS-5612 (R2024-12) or later, why do the four MetaServlet commands createBranch, branchExist, createTag and deleteBranch not work as before and throw the error like below?

{"error":"Unknown command 'branchExist'","returnCode":2}

With the release of Talend Administration Center patch TPS-5612, project references and Git access have been removed from Talend Administration Center to improve the performance.

The following elements have been removed:

• Metaservlet commands: createBranch, branchExist, createTag and deleteBranch.
• Metaservlet parameters:
  • loadAllBranchAndTag for listProjects command
  • withReference for getProjectById and listProjects commands: Reference, repositoryState, references, or gitPassword do not exist anymore.
  • defaultBranch for createProject parameter
• Project References page
• Git connection check in Configuration and Project pages
• Branch management
• Reference checkbox and Check connection button in the project form
• Reference/warning column in the project grid
• Clone repository when saving/deleting projects
• Configuration properties: svn.itemListsCachesSize, svn.whiteListBranches.enable, git.project.connection.check.timeout and git.whiteListBranches.enable.
• Add Lock will not verify if the branch exists.

Related Content

This is documented in the change notes here: https://help.qlik.com/talend/en-US/release-notes/8.0/r2024-12-administration-center

Environment

• Talend Data Integration 
• Talend Administration Center 

In the Talend Management Console Cloud production environment (Remote Engine v2.13.x), task executions are repeatedly failing with the error:

"Connection reset by peer`at `org.talend.remote.jobserver.client.JobSenderClient.sendJob".

Resolution

Increase the value of "MAX_ARCHIVES_DIR_SIZE" in RE/etc/org.talend.remote.jobserver.server.cfg  to accommodate larger job archives and prevent further upload failures.

For example

Changing the following value from 100G to 300G, up to your requirement

org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ARCHIVES_DIR_SIZE=100G  The default is 100 G

org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ARCHIVES_DIR_SIZE=300G

Cause 

Based on interpretation of RE logs and data, the "Connection reset by peer "error originates from JobLimitException. Specifically, the "MAX_ARCHIVES_DIR_SIZE" limit defined in RE/etc/org.talend.remote.jobserver.server.cfg file has been reached, which causes the job upload request to be rejected on FILE_SERVER_PORT 8004.

The obvious JobLimitException error message looks like:

Caused by: org.talend.remote.jobserver.commons.utils.io.JobLimitException: Current upload of job archive will exceed the allowed size of archive directory of: '107374182400' (configured in org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ARCHIVES_DIR_SIZE) 

Since the error "Connection reset by peer "message is not directly indicative of this root cause, it is necessary to search for relevant keywords in RE/data/log to determine whether any of the following job size limits have been exceeded:

* `MAX_JOB_FILE_SIZE`
* `MAX_UNZIPPED_SIZE`
* `MAX_ZIPPED_ENTRIES`
* `MAX_ZIP_NAME_LENGTH`
* `MAX_UNZIPPED_FOLDER_NAME_LENGTH`
* `MAX_UNZIPPED_FILE_NAME_LENGTH`
* `MAX_ZIP_DEPTH`

Environment

• Talend Studio 
• Talend Cloud 

Talend Studio Can't retrieve any project from Cloud when connects to TMC, a warning appears stating that:

"Can't retrieve any project from Cloud, please ask for help from the administrator."

Cause

The user who is connecting to TMC has not been assigned any projects.

Resolution

Assign this user to projects within TMC. For a detailed process, please refer to this Assigning users to projects documentation.

Related Content 

Qlik Talend Cloud: Unable to connect Talend Studio to Talend Cloud with SSO enabled

Environment

• Talend Cloud 7.3.1, 8.0.1

Testing a connection to Salesforce using the Qlik Salesforce connector fails with the error:

INVALID_LOGIN:Invalid username, password, security token; or user locked out

Resolution

• Verify that the Username and Password used in the Qlik Salesforce connector configuration. This can be done by your Salesforce admin or by logging in to your Salesforce instance as an initial test.
• Verify that the security token is valid in Salesforce. You can also reset the security token by going to the Settings in your Salesforce profile and selecting Reset my Security Token. 

Cause

The Salesforce user login credentials (username, password, or security token) are incorrect.

Environment

• Qlik Salesforce Connector

When the list box is set to collapsed, its title size cannot be changed from the Styling tab. This is currently a product limitation. 

An improvement is on Qlik's roadmap: VIZ-241

Environment

• Qlik Sense Enterprise on Windows

Updating Custom Properties in the Qlik Sense Hub or changing the script in the Data Load Editor, loading data fails with the error:

The request could not be completed due to a conflict.

The app saves regardless of the error.

Resolution

Set AppStaticByteSizeUpdate.Enable to false.

By default, the setting AppStaticByteSizeUpdate.Enable in the repository.exe.config file is set to true. To change this:

1. Go to C:\Program Files\Qlik\Sense\Repository
2. Back up the repository.exe.config file or copy the entire Repository folder to a different location
3. Open repository.exe.config in a text editor
4. Set the value of the key AppStaticByteSizeUpdate.Enable from true to false
5. Save the file
6. Restart the Qlik Sense services

Internal Investigation ID(s)

SUPPORT-4002

Environment

• Qlik Sense Enterprise on Windows

Loading data from a QVD with a field containing NaN values will significantly affect the reload performance.

A testing scenario is attached in this article, using the Qlik Sense app app_nan.qvf and the QVD table_with_nan_value.qvd.

Scenario One

1. Download the qvf and qvd
2. Import the app app_nan.qvf  
3. Open the Data Reload Editor and update the created connection string 
4. Load the data; the reload will take approximately 50 seconds
   
   

Observation Two 

1. Open the Data Reload Editor
2. Comment line 3
3. Uncomment line 2
4. Reload the data; the reload will be almost instantaneous. Using the coalese() function increased the reload performance.
   
   

Resolution

This has been investigated as SUPPORT-1818 and has been concluded to work as designed. 

$numeric columns will be managed at the assembler level and not at the C++ level. That is correct and optimized since we expect numbers in that column.

When a NaN value appears, the assembler tries to decipher it, which takes time.

To work around this, transform the NaN values to Nulls on the data source side or before storing data in QVDs.

An example workaround can be found in How to change string to null() value (Qlik Community post).

Internal Investigation ID(s)

SUPPORT-1818

Environment

• Qlik Sense Enterprise on Windows

A Windows authentication pop-up is shown when uploading or deleting files, prompting the user to sign in. Both the Data Manager and Data Load Editor are affected.

This occurs if:

• A Virtual Proxy prefix is used
• SSO authentication is used
• You are running Qlik Sense on Windows November 2024 IR to Patch 6

Resolution

Upgrade to November 2024 Patch 7 or any higher releases. 

This is caused by QB-31249. The virtual proxy prefix was missing on requests related to /qrs/appcontent. As a result, a login dialog is displayed when uploading and deleting files. See Sense Enterprise on Windows release notes - November 2024 Initial Release to Patch 15 for details. 

Workaround:

Three workarounds are available if an upgrade is not immediately possible.

Remove the Virtual Proxy Prefix

1. Open the Qlik Sense Management Console
2. Go to the Virtual Proxy
3. Remove the Prefix
   
   
   

Add non-SSO users

See Authentication methods.

Use a different file upload method

There are other methods to upload files, such as using Folders or other connectors. See Loading files from local and network file folders for an example.

Fix Version:

Qlik Sense November 2024 Patch 7 or any higher releases. 

Cause

Product Defect ID: QB-31249

Environment

• Qlik Sense Enterprise on Windows

In Job Conductor, Job log file cleaner is no longer occuring and resulting in files piling up and filling-up filesystem when installing Talend V8 R2025-01, executionLogs and generatedJobs are not cleaned as expected 

Resolution

Apply TAC R2025-04 and later patch to solve this issue.

Cause

It is a known jira issue that File cleaner doesn`t work as expected due to regexp matcher to escape file

Internal Investigation ID(s) 

Jira Issue: QTAC-966

Environment

• Talend Administration Center 
• Talend Data Integration 

Talend Administration Center is facing LDAP login failure with the error log

ERROR LoginHandler - LDAP user authenticate fail:
org.apache.directory.ldap.client.api.exception.LdapConnectionTimeOutException: MSG_04177_CONNECTION_TIMEOUT (2000)



 

Resolution

For LDAP connection timeout, default: 2000 ms issue, please follow below steps to increase ldap.config.timeout value from configuration table in Talend Administration Center DB.

1. Tune the default 2000 ms timeout to 10000 ms
   

   UPDATE `tacdb`.`configuration` SET `value` = '10000' WHERE (`key` = 'ldap.config.timeout');  Unit: "ms"

2. Restart Talend Administration Center to take effect

Cause

Potential Causes

1. Network Unreachable / firewall, the LDAP server is not reachable from the client due to network issues or firewall rules blocking port 389 (LDAP) or 636 (LDAPS).
2. Server LDAP server not running or overloaded, the server is down, unresponsive, or too busy to respond within 2 seconds.
3. Timeout Setting Client timeout value is too low and the 2000 ms (2 seconds) timeout is insufficient for the current network latency.

Environment

• Talend Administration Center 

How To Grant Users The Access To Data Model Viewer.

With default security rules and settings, users can not see the data model for published apps. However, we can achieve this by creating/updating security rules through the Qlik Sense Management Console.

Resolution

Option 1: Create a new Security Rule

1. Go to the Qlik Sense Management Console
2. Open Security Rules
3. Click Create new 
4. Create the following rule:
   1. Name = DataModelViewers
   2. Description = A description of your choice.
   3. Resource filter = App_*
   4. Actions = "Read","Update"
   5. Conditions = Users of your choice or a previously defined role you will tag the users with.
   6. Context = Both in hub and QMC or Only in hub
      
5. Click Apply

Option 2: Tagging users as ContentAdmins

This requires a rework of the ContentAdmin rule and will provide far more permissions to users than Option 1. See ContentAdmin for details on what a ContentAdmin is allowed to do. 

1. Tag the users you want to be able to see data models with the ContentAdmin role. 
2. Go to the Security Rules 
3. Locate the default ContentAdmin rule and open it
4. Modify the rule by changing QMC only to Both in hub and QMC
5. Click Apply

To distribute Qlik Sense applications from on-premise to SaaS, you are trying to create a new deployment through the QMC section  "Cloud Distribution"

When clicking on the Deployment setup, you are intermittently receiving an error: 

You do not have the privilege to read content

When checking the Hybrid Deployment Service log located in %ProgramData%\Qlik\Sense\Log\HybridDeploymentService\Trace, you see errors when HDS tries to fetch a license from the repository. 

397 20220217T094322.646+01:00 INFO qlikserver1 37 domain\SVC_QS "Request starting HTTP/1.1 GET https://localhost:5927/v1/license " 36644
400 20220217T094322.653+01:00 DEBUG qlikserver1 37 domain\SVC_QS Refreshing the license cache 36644
401 20220217T094322.654+01:00 DEBUG qlikserver1 37 domain\SVC_QS Getting a license from repository 36644
402 20220217T094322.670+01:00 WARN qlikserver1 33 domain\SVC_QS Could not get a license, statusCode = "Forbidden", reason = '"Forbidden"' 36644
403 20220217T094322.672+01:00 ERROR qlikserver1 33 domain\SVC_QS Error when getting a license: "Response status code does not indicate success: 403 (Forbidden)." 36644

Environment

Qlik Sense Enterprise on Windows 

Resolution

Log in to the server with the account running Qlik Sense services.

Open Internet Explorer and check the proxy configuration in settings > Internet options > connections tab > LAN settings. 

Ensure the configuration is set correctly, according to your internal IT requirements. 

Cause

Wrong proxy configuration set in the service account Windows profile.

Internal Investigation ID(s)

QB-9173