From e6fe4fcd6ad5dcc736debc31dcffd9ccbc866ad9 Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Thu, 19 Mar 2026 11:54:18 +0000
Subject: [PATCH 01/13] Update release notes for v26.2-v26.2.0-beta.1

---
 src/current/_data/versions.csv | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/current/_data/versions.csv b/src/current/_data/versions.csv
index a8d4c57f513..909a220ade8 100644
--- a/src/current/_data/versions.csv
+++ b/src/current/_data/versions.csv
@@ -21,4 +21,4 @@ v25.2,2025-05-09,2026-05-12,2026-11-12,25.2.9,25.2.10,2025-12-17,2026-12-17,2027
 v25.3,2025-08-04,2026-02-04,N/A,N/A,N/A,N/A,N/A,N/A,v25.2,release-25.3,2029-08-04
 v25.4,2025-11-03,2026-11-03,2027-05-03,N/A,N/A,N/A,N/A,N/A,v25.3,release-25.4,2029-11-03
 v26.1,2026-02-02,2026-08-02,N/A,N/A,N/A,N/A,N/A,N/A,v25.4,release-26.1,2030-02-02
-v26.2,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,v26.1,master,N/A
+v26.2,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,v26.1,release-26.2,N/A

From 79e9207c20f15c140b457f80f222e1dc619fd29f Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Thu, 19 Mar 2026 11:54:19 +0000
Subject: [PATCH 02/13] Update release notes for v26.2-v26.2.0-beta.1

---
 src/current/_data/releases.yml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/src/current/_data/releases.yml b/src/current/_data/releases.yml
index 1121b448f1b..b8ba5e108cd 100644
--- a/src/current/_data/releases.yml
+++ b/src/current/_data/releases.yml
@@ -10921,3 +10921,31 @@
     docker_arm_limited_access: false
   source: true
   previous_release: v26.2.0-alpha.1
+
+
+- release_name: v26.2.0-beta.1
+  major_version: v26.2
+  release_date: '2026-03-25'
+  release_type: Testing
+  go_version: go1.25.5
+  sha: cc34a3eefe9f9548beaa55ced23d3503332bac20
+  has_sql_only: true
+  has_sha256sum: true
+  mac:
+    mac_arm: true
+    mac_arm_experimental: true
+    mac_arm_limited_access: false
+  windows: true
+  linux:
+    linux_arm: true
+    linux_arm_experimental: false
+    linux_arm_limited_access: false
+    linux_intel_fips: true
+    linux_arm_fips: false
+  docker:
+    docker_image: cockroachdb/cockroach-unstable
+    docker_arm: true
+    docker_arm_experimental: false
+    docker_arm_limited_access: false
+  source: true
+  previous_release: v26.2.0-alpha.2

From b2fd0294a4d51634fa8cfb2536546a3ccd06a15b Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Thu, 19 Mar 2026 11:54:20 +0000
Subject: [PATCH 03/13] Update release notes for v26.2-v26.2.0-beta.1

---
 .../releases/v26.2/v26.2.0-beta.1.md          | 139 ++++++++++++++++++
 1 file changed, 139 insertions(+)
 create mode 100644 src/current/_includes/releases/v26.2/v26.2.0-beta.1.md

diff --git a/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md b/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
new file mode 100644
index 00000000000..1cabd728002
--- /dev/null
+++ b/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
@@ -0,0 +1,139 @@
+## v26.2.0-beta.1
+
+Release Date: March 25, 2026
+
+{% include releases/new-release-downloads-docker-image.md release=include.release %}
+
+<h3 id="v26-2-0-beta-1-security-updates">Security updates</h3>
+
+- The new cluster setting
+  `security.client_cert.san_required.enabled` enables Subject
+  Alternative Name (SAN) based authentication for client
+  certificates. When enabled, CockroachDB validates client
+  identities using SAN attributes (URIs, DNS names, or
+  IP addresses) from X.509 certificates instead of or in
+  addition to the certificate's Common Name field.
+  
+  Key capabilities include:
+  
+  - For privileged users (root and node): SAN identities
+  are validated against values configured via the
+  --root-cert-san and --node-cert-san startup flags,
+  with automatic fallback to Distinguished Name
+  validation when both methods are configured.
+  
+  - For database users: SAN identities are extracted from
+  client certificates and mapped to database usernames
+  using Host-Based Authentication (HBA) identity mapping
+  rules, allowing a single certificate with multiple SAN
+  entries to authenticate as different database users
+  based on context.
+  
+  - Multiple identity attributes: A single certificate can
+  contain multiple SAN entries (e.g., URI for service
+  identity, DNS for hostname, IP for network location),
+  providing flexible authentication options.
+  
+  This authentication method works across both SQL client
+  connections and internal RPC communication between
+  cluster nodes, ensuring consistent identity verification
+  throughout the system. Organizations using modern
+  certificate management systems and service identity
+  frameworks can now leverage their existing infrastructure
+  for database authentication without requiring certificate
+  reissuance or CN-based naming conventions. [#162583][#162583]
+
+<h3 id="v26-2-0-beta-1-sql-language-changes">SQL language changes</h3>
+
+- `SHOW ALL` now returns a third column, `description`, containing a human-readable description of each session variable. This matches the PostgreSQL behavior of `SHOW ALL`. [#165397][#165397]
+- This change introduces a new builtin
+  `information_schema.crdb_enable_statement_hints` which can be used to
+  enable or disable statement hints by hint ID or by statement
+  fingerprint.
+  
+  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165457][#165457]
+- Rewrite-inline-hints rules can now be scoped
+  to a specific database, and will only apply to matching statements when
+  the current database also matches. This database can be specified with
+  an optional third argument to
+  `information_schema.crdb_rewrite_inline_hints`.
+  
+  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165457][#165457]
+- SHOW STATEMENT HINTS now includes
+  `database` and `enabled` columns in its output.
+  
+  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165712][#165712]
+- The `tableoid` system column is now supported on virtual tables such as those in `pg_catalog` and `information_schema`. This improves compatibility with PostgreSQL tools like `pg_dump` that reference `tableoid` in their introspection queries. [#165727][#165727]
+- Added support for the `aclitem` type and the
+  `makeaclitem` and `acldefault` built-in functions for PostgreSQL
+  compatibility. The existing `aclexplode` function, which previously
+  always returned no rows, now correctly parses ACL strings and returns
+  the individual privilege grants they contain.
+  
+  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165744][#165744]
+- Added the `pg_get_triggerdef` builtin function, which returns the `CREATE TRIGGER` statement for a given trigger OID. This improves PostgreSQL compatibility for databases that contain triggers. [#165849][#165849]
+- Added a `workload_type` column to the
+  `crdb_internal.node_active_session_history` and
+  `crdb_internal.cluster_active_session_history` virtual tables, as
+  well as the corresponding `information_schema` views. The column
+  exposes the type of workload being sampled, with possible values
+  "STATEMENT", "JOB", "SYSTEM", or "UNKNOWN".
+  
+  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165866][#165866]
+- Added the `TEMPORARY` database privilege, which controls whether users can create temporary tables and views. On new databases, this privilege is granted to the `public` role by default, matching PostgreSQL behavior. [#165992][#165992]
+
+<h3 id="v26-2-0-beta-1-operational-changes">Operational changes</h3>
+
+- add an opt-in OIDC setting to skip TLS
+  certificate verification for provider connections.
+  
+  Epic: None [#164514][#164514]
+- Red Hat certified CockroachDB container images are
+  now published as multi-arch manifests supporting linux/amd64, linux/arm64, and
+  linux/s390x. Previously only linux/amd64 was published to the Red Hat registry. [#165725][#165725]
+- When hash-based redaction is enabled in the logging configuration, usernames in authentication logs now produce deterministic hashes instead of being fully redacted. This lets support engineers correlate the same user across multiple log entries without revealing the actual values. [#165804][#165804]
+
+<h3 id="v26-2-0-beta-1-command-line-changes">Command-line changes</h3>
+
+- The `cockroach encode-uri` command has been merged
+  into the `cockroach convert-url` command and `encode-uri` has been
+  deprecated. The PCR/LDR docs referencing `encode-uri` should be updated
+  to use `convert-url` instead. As part of this port, additional flags
+  `--inline`, `--database`, `--user`, `--password`, `--cluster`,
+  `--certs-dir`, `--ca-cert`, `--cert`, and `--key` have been added to
+  `convert-url`. [#164561][#164561]
+- Added `--exclude-log-severities` flag to
+  `cockroach debug zip` that filters log entries by severity server-side.
+  For example, `--exclude-log-severities=INFO` excludes all INFO-level log
+  entries from the collected log files, which can significantly reduce
+  zip file size for large clusters. Valid severity names are INFO,
+  WARNING, ERROR, and FATAL. The flag accepts a comma-delimited list or
+  can be specified multiple times. [#165802][#165802]
+
+<h3 id="v26-2-0-beta-1-bug-fixes">Bug fixes</h3>
+
+- Fixed a bug where temporary tables created in one session could fail to appear in `pg_catalog` queries from another session because the parent temporary schema could not be resolved by ID. [#165395][#165395]
+- Fixed a bug in the legacy schema changer where rolling back a `CREATE TABLE` with inline `FOREIGN KEY` constraints could leave orphaned foreign key back-references on the referenced table, causing descriptor validation errors. [#165551][#165551]
+
+<h3 id="v26-2-0-beta-1-miscellaneous">Miscellaneous</h3>
+
+- Adds the `--format` option to `convert-url`, which allows
+  users to specify the specific type of URL that should be outputted. [#164561][#164561]
+
+
+[#165457]: https://github.com/cockroachdb/cockroach/pull/165457
+[#165992]: https://github.com/cockroachdb/cockroach/pull/165992
+[#165744]: https://github.com/cockroachdb/cockroach/pull/165744
+[#165395]: https://github.com/cockroachdb/cockroach/pull/165395
+[#165551]: https://github.com/cockroachdb/cockroach/pull/165551
+[#162583]: https://github.com/cockroachdb/cockroach/pull/162583
+[#165397]: https://github.com/cockroachdb/cockroach/pull/165397
+[#165712]: https://github.com/cockroachdb/cockroach/pull/165712
+[#165802]: https://github.com/cockroachdb/cockroach/pull/165802
+[#165725]: https://github.com/cockroachdb/cockroach/pull/165725
+[#165804]: https://github.com/cockroachdb/cockroach/pull/165804
+[#164561]: https://github.com/cockroachdb/cockroach/pull/164561
+[#165727]: https://github.com/cockroachdb/cockroach/pull/165727
+[#165849]: https://github.com/cockroachdb/cockroach/pull/165849
+[#165866]: https://github.com/cockroachdb/cockroach/pull/165866
+[#164514]: https://github.com/cockroachdb/cockroach/pull/164514

From 10794ed7400c4dda97addcdd4eb8a1d374acea0d Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Thu, 19 Mar 2026 17:23:13 +0000
Subject: [PATCH 04/13] Update release notes for v26.2-v26.2.0-beta.1


From 76504990d66eb2502a63e03554b3d130f67fe453 Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Thu, 19 Mar 2026 17:23:13 +0000
Subject: [PATCH 05/13] Update release notes for v26.2-v26.2.0-beta.1

---
 src/current/_data/releases.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/current/_data/releases.yml b/src/current/_data/releases.yml
index b8ba5e108cd..1fd3ffed9f3 100644
--- a/src/current/_data/releases.yml
+++ b/src/current/_data/releases.yml
@@ -10928,7 +10928,7 @@
   release_date: '2026-03-25'
   release_type: Testing
   go_version: go1.25.5
-  sha: cc34a3eefe9f9548beaa55ced23d3503332bac20
+  sha: c9ce4f5fbaa7911e97a19d74486dd2f5fc839865
   has_sql_only: true
   has_sha256sum: true
   mac:

From 03fb7db4aaf10689c1ae05ab3ed69886f87e550a Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Thu, 19 Mar 2026 17:23:14 +0000
Subject: [PATCH 06/13] Update release notes for v26.2-v26.2.0-beta.1

---
 .../releases/v26.2/v26.2.0-beta.1.md          | 30 ++++++++++++-------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md b/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
index 1cabd728002..a1f0c02a027 100644
--- a/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
+++ b/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
@@ -92,6 +92,13 @@ Release Date: March 25, 2026
   now published as multi-arch manifests supporting linux/amd64, linux/arm64, and
   linux/s390x. Previously only linux/amd64 was published to the Red Hat registry. [#165725][#165725]
 - When hash-based redaction is enabled in the logging configuration, usernames in authentication logs now produce deterministic hashes instead of being fully redacted. This lets support engineers correlate the same user across multiple log entries without revealing the actual values. [#165804][#165804]
+- Statement diagnostics requests with
+  sampling_probability and expires_at now collect up to 10 bundles
+  (configurable via sql.stmt_diagnostics.max_bundles_per_request) instead
+  of a single bundle. Set the cluster setting to 1 to restore single-bundle
+  behavior.
+  
+  Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> [#166159][#166159]
 
 <h3 id="v26-2-0-beta-1-command-line-changes">Command-line changes</h3>
 
@@ -121,19 +128,20 @@ Release Date: March 25, 2026
   users to specify the specific type of URL that should be outputted. [#164561][#164561]
 
 
-[#165457]: https://github.com/cockroachdb/cockroach/pull/165457
-[#165992]: https://github.com/cockroachdb/cockroach/pull/165992
-[#165744]: https://github.com/cockroachdb/cockroach/pull/165744
-[#165395]: https://github.com/cockroachdb/cockroach/pull/165395
-[#165551]: https://github.com/cockroachdb/cockroach/pull/165551
+[#164561]: https://github.com/cockroachdb/cockroach/pull/164561
+[#165727]: https://github.com/cockroachdb/cockroach/pull/165727
+[#165866]: https://github.com/cockroachdb/cockroach/pull/165866
+[#164514]: https://github.com/cockroachdb/cockroach/pull/164514
+[#165804]: https://github.com/cockroachdb/cockroach/pull/165804
+[#165802]: https://github.com/cockroachdb/cockroach/pull/165802
 [#162583]: https://github.com/cockroachdb/cockroach/pull/162583
 [#165397]: https://github.com/cockroachdb/cockroach/pull/165397
 [#165712]: https://github.com/cockroachdb/cockroach/pull/165712
-[#165802]: https://github.com/cockroachdb/cockroach/pull/165802
+[#165395]: https://github.com/cockroachdb/cockroach/pull/165395
+[#165457]: https://github.com/cockroachdb/cockroach/pull/165457
+[#165551]: https://github.com/cockroachdb/cockroach/pull/165551
 [#165725]: https://github.com/cockroachdb/cockroach/pull/165725
-[#165804]: https://github.com/cockroachdb/cockroach/pull/165804
-[#164561]: https://github.com/cockroachdb/cockroach/pull/164561
-[#165727]: https://github.com/cockroachdb/cockroach/pull/165727
+[#166159]: https://github.com/cockroachdb/cockroach/pull/166159
+[#165744]: https://github.com/cockroachdb/cockroach/pull/165744
 [#165849]: https://github.com/cockroachdb/cockroach/pull/165849
-[#165866]: https://github.com/cockroachdb/cockroach/pull/165866
-[#164514]: https://github.com/cockroachdb/cockroach/pull/164514
+[#165992]: https://github.com/cockroachdb/cockroach/pull/165992

From b237b3ca0219bc1a10a6f77d5216c194b5d5583d Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Mon, 23 Mar 2026 19:06:34 +0000
Subject: [PATCH 07/13] Update release notes for v26.2-v26.2.0-beta.1


From fb8b5b22ec64c4d23e645c9a642104721be63edc Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Mon, 23 Mar 2026 19:06:36 +0000
Subject: [PATCH 08/13] Update release notes for v26.2-v26.2.0-beta.1


From 232fa09aad074864dd4de89abde004ad1028dfe2 Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Mon, 23 Mar 2026 19:06:36 +0000
Subject: [PATCH 09/13] Update release notes for v26.2-v26.2.0-beta.1

---
 .../releases/v26.2/v26.2.0-beta.1.md          | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md b/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
index a1f0c02a027..5a4c590d6e5 100644
--- a/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
+++ b/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
@@ -128,20 +128,20 @@ Release Date: March 25, 2026
   users to specify the specific type of URL that should be outputted. [#164561][#164561]
 
 
-[#164561]: https://github.com/cockroachdb/cockroach/pull/164561
-[#165727]: https://github.com/cockroachdb/cockroach/pull/165727
 [#165866]: https://github.com/cockroachdb/cockroach/pull/165866
+[#165992]: https://github.com/cockroachdb/cockroach/pull/165992
 [#164514]: https://github.com/cockroachdb/cockroach/pull/164514
+[#165395]: https://github.com/cockroachdb/cockroach/pull/165395
+[#165744]: https://github.com/cockroachdb/cockroach/pull/165744
+[#165727]: https://github.com/cockroachdb/cockroach/pull/165727
+[#165725]: https://github.com/cockroachdb/cockroach/pull/165725
 [#165804]: https://github.com/cockroachdb/cockroach/pull/165804
-[#165802]: https://github.com/cockroachdb/cockroach/pull/165802
-[#162583]: https://github.com/cockroachdb/cockroach/pull/162583
+[#166159]: https://github.com/cockroachdb/cockroach/pull/166159
+[#164561]: https://github.com/cockroachdb/cockroach/pull/164561
 [#165397]: https://github.com/cockroachdb/cockroach/pull/165397
-[#165712]: https://github.com/cockroachdb/cockroach/pull/165712
-[#165395]: https://github.com/cockroachdb/cockroach/pull/165395
 [#165457]: https://github.com/cockroachdb/cockroach/pull/165457
+[#165802]: https://github.com/cockroachdb/cockroach/pull/165802
 [#165551]: https://github.com/cockroachdb/cockroach/pull/165551
-[#165725]: https://github.com/cockroachdb/cockroach/pull/165725
-[#166159]: https://github.com/cockroachdb/cockroach/pull/166159
-[#165744]: https://github.com/cockroachdb/cockroach/pull/165744
+[#162583]: https://github.com/cockroachdb/cockroach/pull/162583
 [#165849]: https://github.com/cockroachdb/cockroach/pull/165849
-[#165992]: https://github.com/cockroachdb/cockroach/pull/165992
+[#165712]: https://github.com/cockroachdb/cockroach/pull/165712

From b5c63d6b9c5ca419b34235bfc3fa2a6afa08a311 Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Mon, 23 Mar 2026 19:09:07 +0000
Subject: [PATCH 10/13] Update release notes for v26.2-v26.2.0-beta.1


From 9453e8530eb51f5177f0ee262459585495351b91 Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Mon, 23 Mar 2026 19:09:08 +0000
Subject: [PATCH 11/13] Update release notes for v26.2-v26.2.0-beta.1


From 938ac717d8fdeb8a8b93b4a3c02e16349ad392d1 Mon Sep 17 00:00:00 2001
From: Automated Release Bot <releasebot@cockroachlabs.com>
Date: Mon, 23 Mar 2026 19:09:09 +0000
Subject: [PATCH 12/13] Update release notes for v26.2-v26.2.0-beta.1

---
 .../releases/v26.2/v26.2.0-beta.1.md          | 142 ++++--------------
 1 file changed, 33 insertions(+), 109 deletions(-)

diff --git a/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md b/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
index 5a4c590d6e5..54972ec67c2 100644
--- a/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
+++ b/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
@@ -6,116 +6,41 @@ Release Date: March 25, 2026
 
 <h3 id="v26-2-0-beta-1-security-updates">Security updates</h3>
 
-- The new cluster setting
-  `security.client_cert.san_required.enabled` enables Subject
-  Alternative Name (SAN) based authentication for client
-  certificates. When enabled, CockroachDB validates client
-  identities using SAN attributes (URIs, DNS names, or
-  IP addresses) from X.509 certificates instead of or in
-  addition to the certificate's Common Name field.
-  
-  Key capabilities include:
-  
-  - For privileged users (root and node): SAN identities
-  are validated against values configured via the
-  --root-cert-san and --node-cert-san startup flags,
-  with automatic fallback to Distinguished Name
-  validation when both methods are configured.
-  
-  - For database users: SAN identities are extracted from
-  client certificates and mapped to database usernames
-  using Host-Based Authentication (HBA) identity mapping
-  rules, allowing a single certificate with multiple SAN
-  entries to authenticate as different database users
-  based on context.
-  
-  - Multiple identity attributes: A single certificate can
-  contain multiple SAN entries (e.g., URI for service
-  identity, DNS for hostname, IP for network location),
-  providing flexible authentication options.
-  
-  This authentication method works across both SQL client
-  connections and internal RPC communication between
-  cluster nodes, ensuring consistent identity verification
-  throughout the system. Organizations using modern
-  certificate management systems and service identity
-  frameworks can now leverage their existing infrastructure
-  for database authentication without requiring certificate
-  reissuance or CN-based naming conventions. [#162583][#162583]
+- The new cluster setting `security.client_cert.san_required.enabled` enables Subject Alternative Name (SAN) based authentication for client certificates. When enabled, CockroachDB validates client identities using SAN attributes (URIs, DNS names, or IP addresses) from X.509 certificates instead of or in addition to the certificate's Common Name field.
+
+    Key capabilities include:
+
+    - For privileged users (root and node): SAN identities are validated against values configured via the `--root-cert-san` and `--node-cert-san` startup flags, with automatic fallback to Distinguished Name validation when both methods are configured.
+
+    - For database users: SAN identities are extracted from client certificates and mapped to database usernames using Host-Based Authentication (HBA) identity mapping rules, allowing a single certificate with multiple SAN entries to authenticate as different database users based on context.
+
+    - Multiple identity attributes: A single certificate can contain multiple SAN entries (e.g., URI for service identity, DNS for hostname, IP for network location), providing flexible authentication options.
+
+    This authentication method works across both SQL client connections and internal RPC communication between cluster nodes, ensuring consistent identity verification throughout the system. Organizations using modern certificate management systems and service identity frameworks can now leverage their existing infrastructure for database authentication without requiring certificate reissuance or CN-based naming conventions. [#162583][#162583]
 
 <h3 id="v26-2-0-beta-1-sql-language-changes">SQL language changes</h3>
 
 - `SHOW ALL` now returns a third column, `description`, containing a human-readable description of each session variable. This matches the PostgreSQL behavior of `SHOW ALL`. [#165397][#165397]
-- This change introduces a new builtin
-  `information_schema.crdb_enable_statement_hints` which can be used to
-  enable or disable statement hints by hint ID or by statement
-  fingerprint.
-  
-  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165457][#165457]
-- Rewrite-inline-hints rules can now be scoped
-  to a specific database, and will only apply to matching statements when
-  the current database also matches. This database can be specified with
-  an optional third argument to
-  `information_schema.crdb_rewrite_inline_hints`.
-  
-  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165457][#165457]
-- SHOW STATEMENT HINTS now includes
-  `database` and `enabled` columns in its output.
-  
-  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165712][#165712]
+- Introduced a new built-in function `information_schema.crdb_enable_statement_hints`, which can be used to enable or disable statement hints by hint ID or by statement fingerprint. [#165457][#165457]
+- Rewrite-inline-hints rules can now be scoped to a specific database, and will only apply to matching statements when the current database also matches. This database can be specified with an optional third argument to `information_schema.crdb_rewrite_inline_hints`. [#165457][#165457]
+- `SHOW STATEMENT HINTS` now includes `database` and `enabled` columns in its output. The `database` column indicates which database the hint applies to, and the `enabled` column indicates whether the hint is active. [#165712][#165712]
 - The `tableoid` system column is now supported on virtual tables such as those in `pg_catalog` and `information_schema`. This improves compatibility with PostgreSQL tools like `pg_dump` that reference `tableoid` in their introspection queries. [#165727][#165727]
-- Added support for the `aclitem` type and the
-  `makeaclitem` and `acldefault` built-in functions for PostgreSQL
-  compatibility. The existing `aclexplode` function, which previously
-  always returned no rows, now correctly parses ACL strings and returns
-  the individual privilege grants they contain.
-  
-  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165744][#165744]
+- Added support for the `aclitem` type and the `makeaclitem` and `acldefault` built-in functions for PostgreSQL compatibility. The existing `aclexplode` function, which previously always returned no rows, now correctly parses ACL strings and returns the individual privilege grants they contain. [#165744][#165744]
 - Added the `pg_get_triggerdef` builtin function, which returns the `CREATE TRIGGER` statement for a given trigger OID. This improves PostgreSQL compatibility for databases that contain triggers. [#165849][#165849]
-- Added a `workload_type` column to the
-  `crdb_internal.node_active_session_history` and
-  `crdb_internal.cluster_active_session_history` virtual tables, as
-  well as the corresponding `information_schema` views. The column
-  exposes the type of workload being sampled, with possible values
-  "STATEMENT", "JOB", "SYSTEM", or "UNKNOWN".
-  
-  Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com> [#165866][#165866]
+- Added a `workload_type` column to the `crdb_internal.node_active_session_history` and `crdb_internal.cluster_active_session_history` virtual tables, as well as the corresponding `information_schema` views. The column exposes the type of workload being sampled, with possible values `STATEMENT`, `JOB`, `SYSTEM`, or `UNKNOWN`. [#165866][#165866]
 - Added the `TEMPORARY` database privilege, which controls whether users can create temporary tables and views. On new databases, this privilege is granted to the `public` role by default, matching PostgreSQL behavior. [#165992][#165992]
 
 <h3 id="v26-2-0-beta-1-operational-changes">Operational changes</h3>
 
-- add an opt-in OIDC setting to skip TLS
-  certificate verification for provider connections.
-  
-  Epic: None [#164514][#164514]
-- Red Hat certified CockroachDB container images are
-  now published as multi-arch manifests supporting linux/amd64, linux/arm64, and
-  linux/s390x. Previously only linux/amd64 was published to the Red Hat registry. [#165725][#165725]
+- Added the opt-in cluster setting `server.oidc_authentication.tls_insecure_skip_verify.enabled` to skip TLS certificate verification for OIDC provider connections. [#164514][#164514]
+- Red Hat certified CockroachDB container images are now published as multi-arch manifests supporting `linux/amd64`, `linux/arm64`, and `linux/s390x`. Previously only `linux/amd64` was published to the Red Hat registry. [#165725][#165725]
 - When hash-based redaction is enabled in the logging configuration, usernames in authentication logs now produce deterministic hashes instead of being fully redacted. This lets support engineers correlate the same user across multiple log entries without revealing the actual values. [#165804][#165804]
-- Statement diagnostics requests with
-  sampling_probability and expires_at now collect up to 10 bundles
-  (configurable via sql.stmt_diagnostics.max_bundles_per_request) instead
-  of a single bundle. Set the cluster setting to 1 to restore single-bundle
-  behavior.
-  
-  Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> [#166159][#166159]
+- Statement diagnostics requests with `sampling_probability` and `expires_at` now collect up to 10 bundles (configurable via `sql.stmt_diagnostics.max_bundles_per_request`) instead of a single bundle. Set the cluster setting to `1` to restore single-bundle behavior. [#166159][#166159]
 
 <h3 id="v26-2-0-beta-1-command-line-changes">Command-line changes</h3>
 
-- The `cockroach encode-uri` command has been merged
-  into the `cockroach convert-url` command and `encode-uri` has been
-  deprecated. The PCR/LDR docs referencing `encode-uri` should be updated
-  to use `convert-url` instead. As part of this port, additional flags
-  `--inline`, `--database`, `--user`, `--password`, `--cluster`,
-  `--certs-dir`, `--ca-cert`, `--cert`, and `--key` have been added to
-  `convert-url`. [#164561][#164561]
-- Added `--exclude-log-severities` flag to
-  `cockroach debug zip` that filters log entries by severity server-side.
-  For example, `--exclude-log-severities=INFO` excludes all INFO-level log
-  entries from the collected log files, which can significantly reduce
-  zip file size for large clusters. Valid severity names are INFO,
-  WARNING, ERROR, and FATAL. The flag accepts a comma-delimited list or
-  can be specified multiple times. [#165802][#165802]
+- The `cockroach encode-uri` command has been merged into the `cockroach convert-url` command and `encode-uri` has been deprecated. As a result, the flags `--inline`, `--database`, `--user`, `--password`, `--cluster`, `--certs-dir`, `--ca-cert`, `--cert`, and `--key` have been added to `convert-url`. [#164561][#164561]
+- Added the `--exclude-log-severities` flag to `cockroach debug zip` that filters log entries by severity server-side. For example, `--exclude-log-severities=INFO` excludes all `INFO`-level log entries from the collected log files, which can significantly reduce zip file size for large clusters. Valid severity names are `INFO`, `WARNING`, `ERROR`, and `FATAL`. The flag accepts a comma-delimited list or can be specified multiple times. [#165802][#165802]
 
 <h3 id="v26-2-0-beta-1-bug-fixes">Bug fixes</h3>
 
@@ -124,24 +49,23 @@ Release Date: March 25, 2026
 
 <h3 id="v26-2-0-beta-1-miscellaneous">Miscellaneous</h3>
 
-- Adds the `--format` option to `convert-url`, which allows
-  users to specify the specific type of URL that should be outputted. [#164561][#164561]
+- Added the `--format` option to `cockroach convert-url`, which allows users to specify the type of connection URL to output. Supported formats are `pq`, `dsn`, `jdbc`, and `crdb`. [#164561][#164561]
 
 
+[#165727]: https://github.com/cockroachdb/cockroach/pull/165727
 [#165866]: https://github.com/cockroachdb/cockroach/pull/165866
+[#166159]: https://github.com/cockroachdb/cockroach/pull/166159
+[#164561]: https://github.com/cockroachdb/cockroach/pull/164561
+[#165551]: https://github.com/cockroachdb/cockroach/pull/165551
+[#165457]: https://github.com/cockroachdb/cockroach/pull/165457
+[#165712]: https://github.com/cockroachdb/cockroach/pull/165712
 [#165992]: https://github.com/cockroachdb/cockroach/pull/165992
-[#164514]: https://github.com/cockroachdb/cockroach/pull/164514
-[#165395]: https://github.com/cockroachdb/cockroach/pull/165395
-[#165744]: https://github.com/cockroachdb/cockroach/pull/165744
-[#165727]: https://github.com/cockroachdb/cockroach/pull/165727
 [#165725]: https://github.com/cockroachdb/cockroach/pull/165725
 [#165804]: https://github.com/cockroachdb/cockroach/pull/165804
-[#166159]: https://github.com/cockroachdb/cockroach/pull/166159
-[#164561]: https://github.com/cockroachdb/cockroach/pull/164561
+[#165395]: https://github.com/cockroachdb/cockroach/pull/165395
 [#165397]: https://github.com/cockroachdb/cockroach/pull/165397
-[#165457]: https://github.com/cockroachdb/cockroach/pull/165457
-[#165802]: https://github.com/cockroachdb/cockroach/pull/165802
-[#165551]: https://github.com/cockroachdb/cockroach/pull/165551
-[#162583]: https://github.com/cockroachdb/cockroach/pull/162583
 [#165849]: https://github.com/cockroachdb/cockroach/pull/165849
-[#165712]: https://github.com/cockroachdb/cockroach/pull/165712
+[#165744]: https://github.com/cockroachdb/cockroach/pull/165744
+[#164514]: https://github.com/cockroachdb/cockroach/pull/164514
+[#162583]: https://github.com/cockroachdb/cockroach/pull/162583
+[#165802]: https://github.com/cockroachdb/cockroach/pull/165802

From b10284606e5e54fd232138f3d59e167f98fa565f Mon Sep 17 00:00:00 2001
From: Ryan Kuo <ryank@cockroachlabs.com>
Date: Mon, 23 Mar 2026 15:22:44 -0400
Subject: [PATCH 13/13] manually reorder release notes

---
 .../releases/v26.2/v26.2.0-beta.1.md          | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md b/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
index 54972ec67c2..e947820000a 100644
--- a/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
+++ b/src/current/_includes/releases/v26.2/v26.2.0-beta.1.md
@@ -4,6 +4,12 @@ Release Date: March 25, 2026
 
 {% include releases/new-release-downloads-docker-image.md release=include.release %}
 
+<h3 id="v26-2-0-beta-1-backward-incompatible-changes">Backward-incompatible changes</h3>
+
+- Added the `TEMPORARY` database privilege, which controls whether users can create temporary tables and views. On new databases, this privilege is granted to the `public` role by default, matching PostgreSQL behavior. [#165992][#165992]
+- The `cockroach encode-uri` command has been merged into the `cockroach convert-url` command and `encode-uri` has been deprecated. As a result, the flags `--inline`, `--database`, `--user`, `--password`, `--cluster`, `--certs-dir`, `--ca-cert`, `--cert`, and `--key` have been added to `convert-url`. [#164561][#164561]
+- Statement diagnostics requests with `sampling_probability` and `expires_at` now collect up to 10 bundles (configurable via `sql.stmt_diagnostics.max_bundles_per_request`) instead of a single bundle. Set the cluster setting to `1` to restore single-bundle behavior. [#166159][#166159]
+
 <h3 id="v26-2-0-beta-1-security-updates">Security updates</h3>
 
 - The new cluster setting `security.client_cert.san_required.enabled` enables Subject Alternative Name (SAN) based authentication for client certificates. When enabled, CockroachDB validates client identities using SAN attributes (URIs, DNS names, or IP addresses) from X.509 certificates instead of or in addition to the certificate's Common Name field.
@@ -20,37 +26,31 @@ Release Date: March 25, 2026
 
 <h3 id="v26-2-0-beta-1-sql-language-changes">SQL language changes</h3>
 
-- `SHOW ALL` now returns a third column, `description`, containing a human-readable description of each session variable. This matches the PostgreSQL behavior of `SHOW ALL`. [#165397][#165397]
-- Introduced a new built-in function `information_schema.crdb_enable_statement_hints`, which can be used to enable or disable statement hints by hint ID or by statement fingerprint. [#165457][#165457]
 - Rewrite-inline-hints rules can now be scoped to a specific database, and will only apply to matching statements when the current database also matches. This database can be specified with an optional third argument to `information_schema.crdb_rewrite_inline_hints`. [#165457][#165457]
-- `SHOW STATEMENT HINTS` now includes `database` and `enabled` columns in its output. The `database` column indicates which database the hint applies to, and the `enabled` column indicates whether the hint is active. [#165712][#165712]
-- The `tableoid` system column is now supported on virtual tables such as those in `pg_catalog` and `information_schema`. This improves compatibility with PostgreSQL tools like `pg_dump` that reference `tableoid` in their introspection queries. [#165727][#165727]
 - Added support for the `aclitem` type and the `makeaclitem` and `acldefault` built-in functions for PostgreSQL compatibility. The existing `aclexplode` function, which previously always returned no rows, now correctly parses ACL strings and returns the individual privilege grants they contain. [#165744][#165744]
+- Introduced a new built-in function `information_schema.crdb_enable_statement_hints`, which can be used to enable or disable statement hints by hint ID or by statement fingerprint. [#165457][#165457]
 - Added the `pg_get_triggerdef` builtin function, which returns the `CREATE TRIGGER` statement for a given trigger OID. This improves PostgreSQL compatibility for databases that contain triggers. [#165849][#165849]
+- `SHOW ALL` now returns a third column, `description`, containing a human-readable description of each session variable. This matches the PostgreSQL behavior of `SHOW ALL`. [#165397][#165397]
+- `SHOW STATEMENT HINTS` now includes `database` and `enabled` columns in its output. The `database` column indicates which database the hint applies to, and the `enabled` column indicates whether the hint is active. [#165712][#165712]
+- The `tableoid` system column is now supported on virtual tables such as those in `pg_catalog` and `information_schema`. This improves compatibility with PostgreSQL tools like `pg_dump` that reference `tableoid` in their introspection queries. [#165727][#165727]
 - Added a `workload_type` column to the `crdb_internal.node_active_session_history` and `crdb_internal.cluster_active_session_history` virtual tables, as well as the corresponding `information_schema` views. The column exposes the type of workload being sampled, with possible values `STATEMENT`, `JOB`, `SYSTEM`, or `UNKNOWN`. [#165866][#165866]
-- Added the `TEMPORARY` database privilege, which controls whether users can create temporary tables and views. On new databases, this privilege is granted to the `public` role by default, matching PostgreSQL behavior. [#165992][#165992]
 
 <h3 id="v26-2-0-beta-1-operational-changes">Operational changes</h3>
 
 - Added the opt-in cluster setting `server.oidc_authentication.tls_insecure_skip_verify.enabled` to skip TLS certificate verification for OIDC provider connections. [#164514][#164514]
 - Red Hat certified CockroachDB container images are now published as multi-arch manifests supporting `linux/amd64`, `linux/arm64`, and `linux/s390x`. Previously only `linux/amd64` was published to the Red Hat registry. [#165725][#165725]
 - When hash-based redaction is enabled in the logging configuration, usernames in authentication logs now produce deterministic hashes instead of being fully redacted. This lets support engineers correlate the same user across multiple log entries without revealing the actual values. [#165804][#165804]
-- Statement diagnostics requests with `sampling_probability` and `expires_at` now collect up to 10 bundles (configurable via `sql.stmt_diagnostics.max_bundles_per_request`) instead of a single bundle. Set the cluster setting to `1` to restore single-bundle behavior. [#166159][#166159]
 
 <h3 id="v26-2-0-beta-1-command-line-changes">Command-line changes</h3>
 
-- The `cockroach encode-uri` command has been merged into the `cockroach convert-url` command and `encode-uri` has been deprecated. As a result, the flags `--inline`, `--database`, `--user`, `--password`, `--cluster`, `--certs-dir`, `--ca-cert`, `--cert`, and `--key` have been added to `convert-url`. [#164561][#164561]
 - Added the `--exclude-log-severities` flag to `cockroach debug zip` that filters log entries by severity server-side. For example, `--exclude-log-severities=INFO` excludes all `INFO`-level log entries from the collected log files, which can significantly reduce zip file size for large clusters. Valid severity names are `INFO`, `WARNING`, `ERROR`, and `FATAL`. The flag accepts a comma-delimited list or can be specified multiple times. [#165802][#165802]
+- Added the `--format` option to `cockroach convert-url`, which allows users to specify the type of connection URL to output. Supported formats are `pq`, `dsn`, `jdbc`, and `crdb`. [#164561][#164561]
 
 <h3 id="v26-2-0-beta-1-bug-fixes">Bug fixes</h3>
 
 - Fixed a bug where temporary tables created in one session could fail to appear in `pg_catalog` queries from another session because the parent temporary schema could not be resolved by ID. [#165395][#165395]
 - Fixed a bug in the legacy schema changer where rolling back a `CREATE TABLE` with inline `FOREIGN KEY` constraints could leave orphaned foreign key back-references on the referenced table, causing descriptor validation errors. [#165551][#165551]
 
-<h3 id="v26-2-0-beta-1-miscellaneous">Miscellaneous</h3>
-
-- Added the `--format` option to `cockroach convert-url`, which allows users to specify the type of connection URL to output. Supported formats are `pq`, `dsn`, `jdbc`, and `crdb`. [#164561][#164561]
-
 
 [#165727]: https://github.com/cockroachdb/cockroach/pull/165727
 [#165866]: https://github.com/cockroachdb/cockroach/pull/165866