Release Date: March 25, 2026
{% include releases/new-release-downloads-docker-image.md release=include.release %}
- Added the
TEMPORARYdatabase privilege, which controls whether users can create temporary tables and views. On new databases, this privilege is granted to thepublicrole by default, matching PostgreSQL behavior. #165992 - The
cockroach encode-uricommand has been merged into thecockroach convert-urlcommand andencode-urihas been deprecated. As a result, the flags--inline,--database,--user,--password,--cluster,--certs-dir,--ca-cert,--cert, and--keyhave been added toconvert-url. #164561 - Statement diagnostics requests with
sampling_probabilityandexpires_atnow collect up to 10 bundles (configurable viasql.stmt_diagnostics.max_bundles_per_request) instead of a single bundle. Set the cluster setting to1to restore single-bundle behavior. #166159
-
The new cluster setting
security.client_cert.san_required.enabledenables Subject Alternative Name (SAN) based authentication for client certificates. When enabled, CockroachDB validates client identities using SAN attributes (URIs, DNS names, or IP addresses) from X.509 certificates instead of or in addition to the certificate's Common Name field.Key capabilities include:
-
For privileged users (root and node): SAN identities are validated against values configured via the
--root-cert-sanand--node-cert-sanstartup flags, with automatic fallback to Distinguished Name validation when both methods are configured. -
For database users: SAN identities are extracted from client certificates and mapped to database usernames using Host-Based Authentication (HBA) identity mapping rules, allowing a single certificate with multiple SAN entries to authenticate as different database users based on context.
-
Multiple identity attributes: A single certificate can contain multiple SAN entries (e.g., URI for service identity, DNS for hostname, IP for network location), providing flexible authentication options.
This authentication method works across both SQL client connections and internal RPC communication between cluster nodes, ensuring consistent identity verification throughout the system. Organizations using modern certificate management systems and service identity frameworks can now leverage their existing infrastructure for database authentication without requiring certificate reissuance or CN-based naming conventions. #162583
-
- Rewrite-inline-hints rules can now be scoped to a specific database, and will only apply to matching statements when the current database also matches. This database can be specified with an optional third argument to
information_schema.crdb_rewrite_inline_hints. #165457 - Added support for the
aclitemtype and themakeaclitemandacldefaultbuilt-in functions for PostgreSQL compatibility. The existingaclexplodefunction, which previously always returned no rows, now correctly parses ACL strings and returns the individual privilege grants they contain. #165744 - Introduced a new built-in function
information_schema.crdb_enable_statement_hints, which can be used to enable or disable statement hints by hint ID or by statement fingerprint. #165457 - Added the
pg_get_triggerdefbuiltin function, which returns theCREATE TRIGGERstatement for a given trigger OID. This improves PostgreSQL compatibility for databases that contain triggers. #165849 SHOW ALLnow returns a third column,description, containing a human-readable description of each session variable. This matches the PostgreSQL behavior ofSHOW ALL. #165397SHOW STATEMENT HINTSnow includesdatabaseandenabledcolumns in its output. Thedatabasecolumn indicates which database the hint applies to, and theenabledcolumn indicates whether the hint is active. #165712- The
tableoidsystem column is now supported on virtual tables such as those inpg_catalogandinformation_schema. This improves compatibility with PostgreSQL tools likepg_dumpthat referencetableoidin their introspection queries. #165727 - Added a
workload_typecolumn to thecrdb_internal.node_active_session_historyandcrdb_internal.cluster_active_session_historyvirtual tables, as well as the correspondinginformation_schemaviews. The column exposes the type of workload being sampled, with possible valuesSTATEMENT,JOB,SYSTEM, orUNKNOWN. #165866
- Added the opt-in cluster setting
server.oidc_authentication.tls_insecure_skip_verify.enabledto skip TLS certificate verification for OIDC provider connections. #164514 - Red Hat certified CockroachDB container images are now published as multi-arch manifests supporting
linux/amd64,linux/arm64, andlinux/s390x. Previously onlylinux/amd64was published to the Red Hat registry. #165725 - When hash-based redaction is enabled in the logging configuration, usernames in authentication logs now produce deterministic hashes instead of being fully redacted. This lets support engineers correlate the same user across multiple log entries without revealing the actual values. #165804
- Added the
--exclude-log-severitiesflag tocockroach debug zipthat filters log entries by severity server-side. For example,--exclude-log-severities=INFOexcludes allINFO-level log entries from the collected log files, which can significantly reduce zip file size for large clusters. Valid severity names areINFO,WARNING,ERROR, andFATAL. The flag accepts a comma-delimited list or can be specified multiple times. #165802 - Added the
--formatoption tocockroach convert-url, which allows users to specify the type of connection URL to output. Supported formats arepq,dsn,jdbc, andcrdb. #164561
- Fixed a bug where temporary tables created in one session could fail to appear in
pg_catalogqueries from another session because the parent temporary schema could not be resolved by ID. #165395 - Fixed a bug in the legacy schema changer where rolling back a
CREATE TABLEwith inlineFOREIGN KEYconstraints could leave orphaned foreign key back-references on the referenced table, causing descriptor validation errors. #165551