Key Security Changes

Multiple security-focused changes are introduced across CPQ.

User-mode enforcement for DML operations: All database (DML) operations now execute in Salesforce's AccessLevel.USER_MODE. Operations that previously ran effectively in system mode now respect the logged-in user’s object‑level permissions (Create, Read, Update, Delete) and field‑level security (FLS). This prevents users from accessing or modifying records and fields they are not explicitly permitted to work with.

User-context queries for standard objects and fields: All queries are executed in user context rather than system context. Data that was previously visible only because of elevated/system access may no longer be returned. Dynamic SOQL that collects field lists from custom settings is now constrained by the user’s access; missing permissions can result in query errors or reduced result sets.

Hardened query handling to prevent SOQL/SOSL injection:. Dynamic queries and user inputs are now validated more strictly. Unsafe or malformed inputs may be rejected. Custom components or integrations that rely on loosely validated parameters can be affected if they do not comply with secure query patterns.

Removal of deprecated YUI library: The legacy YUI (Yahoo User Interface) library is fully removed from the affected packages. Any customer customizations or extensions that still depend on YUI will no longer function and must be migrated to supported technologies.

Upgrade to jQuery 3.7: The runtime JavaScript stack is updated to use jQuery 3.7 (latest secure version used by CPQ). Deprecated jQuery APIs may no longer work as before. Custom scripts, UI components, and automations that depend on older jQuery behavior should be reviewed and updated to remain compatible.

JWT-based authentication instead of Session ID: For integrations with Smart Search and Turbo, CPQ now uses a JWT (JSON Web Token) based OAuth authentication flow instead of passing Salesforce session IDs outside the platform. Each request includes the username, a time stamp, and an HMAC-based authentication signature, which Smart Search and Turbo validate to ensure that requests are trusted and untampered. This change reduces the risk of session hijacking and aligns authentication with modern security practices. The JWT flow is handled entirely within the managed package and does not require customer configuration changes.

Impacted Deployment Setups and Packages

The changes primarily affect setups that:

• Use restricted or incomplete permission sets for standard Salesforce objects and fields that participate in CPQ flows.
• Depend on custom UI components, scripts, or extensions that use YUI or jQuery versions earlier than 3.7.

Impacted packages include, but are not limited to:

• Configuration & Pricing
• CPQ Base Library
• Conga Quote Management
• Conga CPQ Setup
• Conga Quote Approvals
• Conga Deal Maximizer
• Conga Deal Manager
• Conga Deal Maximizer Setup
• Conga Quote Maximizer
• Conga Quote Echosign Integration
• Conga Quote Docusign Integration
• Conga Quote CLM Integration
• Conga Quote Configuration Integration

Responsibilities and Risk Considerations

To avoid runtime issues, customers must ensure that permission sets and profiles align with how CPQ is used in production. Business-critical flows should be validated across the different profile and permission combinations in use, and any customizations that rely on legacy JavaScript libraries must be modernized.

If no action is taken:

• Users may encounter DML and SOQL errors during CPQ flows due to insufficient object or field access.
• Custom UI components can break if they depend on YUI or pre‑3.7 jQuery behaviors.

A full end‑to‑end regression test cycle in a sandbox environment is strongly recommended before rolling out the June ’26 release changes to production.