For all official JDBC Release Notes please refer to https://docs.snowflake.com/en/release-notes/clients-drivers/jdbc
-
v4.3.2-SNAPSHOT
- Fixed GCS PUT operations not retrying on transient errors (e.g. HTTP 503) despite
putGetMaxRetriesbeing configured (#2688). - Bumped jackson-databind to 2.18.9 from 2.18.7 (#2669 and #2690).
- Bumped netty to 4.1.136.Final which addresses several vulnerabilities (#2690).
- Fixed snowflake-jdbc writing a
snowflake-minicore-*temp directory and loading the native library at driver class-load time even when the driver was never used (e.g. when present on the classpath only as a transitive dependency). Minicore now loads lazily when the first Snowflake connection is created (ConnectionFactory.createConnection) instead of duringDriverInitializer.initialize()(#2670). - Restored
GetCallerIdentityas the default AWS Workload Identity Federation attestation method to avoid breaking existing users who have not configured theISSUERin their Snowflake WIF setup. TheGetWebIdentityToken(outbound JWT) flow introduced in v4.3.0 is now opt-in via the newworkloadIdentityAwsUseOutboundTokenconnection property. - Fixed flaky
SnowflakeDriverIT.testDBMetadata: the SHOW-basedgetTablesmetadata lookup could transiently return no rows right after the test table was created (metadata cache lag on shared/loaded accounts), so the lookup is now retried until the table becomes visible, and on very slow CI runners where propagation exceeds the retry window the test is skipped rather than failed (the mapping is covered deterministically byDatabaseMetadataWiremockLatestIT). Test-only change with no driver behavior impact (#2673). - Fixed flaky
DatabaseMetaDataLatestIT.testUnderscoreInSchemaNamePatternForPrimaryAndForeignKeys[WithPatternSearchDisabled]: the SHOW-basedgetPrimaryKeys/getImportedKeyslookups could transiently return fewer rows than expected right after the table DDL (eventually-consistent PK/FK constraint metadata), so the lookups are now retried until the expected rows become visible. Test-only change with no driver behavior impact (#2673). - Fixed flaky
DatabaseMetaDataIT.testGetPrimarykeysandSnowflakeDriverIT.testConstraints(eventually-consistent PK/FK constraint metadata after DDL) by retrying the constraint metadata lookups until visible. Replaced the live, concurrent stress testsDatabaseMetaDataLatestIT.test[No]PatternSearchAllowedForPrimaryAndForeignKeys(which timed out on slow CI runners) with deterministic coverage in the newDatabaseMetadataWiremockLatestIT, which validates thegetTables/getPrimaryKeys/getImportedKeysSHOW-result mapping and theenablePatternSearchpattern-vs-literal behavior using stubbed responses (no live account or metadata-propagation dependency). Test-only change with no driver behavior impact (#2673). - Fixed the Loader API (
StreamLoader.setVectorColumns) throwingLoader$ConnectionError: ... Result set has been closedwhen thegetColumnsmetadata lookup returned no rows. The result set returned bygetColumnscloses itself oncenext()runs out of matching rows, so the uncheckedrs.next()followed byrs.getString(...)raised "Result set has been closed"; the result is now read only whenrs.next()returns a row. This intermittently aborted concurrent loads (e.g.FlatfileReadMultithreadIT) when theSHOW COLUMNSmetadata query raced with concurrent DML on the same table (#2674). - Fixed
uploadStream/downloadStreamfailing with SQL compilation errors when the stage reference contains non-ASCII characters (e.g. Japanese schema names). Stage references in internally generated PUT/GET commands are now wrapped in single quotes when they contain characters that require quoting per Snowflake SQL syntax (SNOW-3713887).
- Fixed GCS PUT operations not retrying on transient errors (e.g. HTTP 503) despite
-
v4.3.1
- Fixed GCS-backed internal stage PUT failing with opaque
invalid_gcs_credentialsin SPCS pods on GCP: the GCS SDK's Application Default Credentials (ADC) probe was reaching out tometadata.google.internalwhich is unreachable inside SPCS; explicit credentials are now always set when aGCS_ACCESS_TOKENis present, suppressing the ADC probe entirely. Also fixedGCSAccessStrategyAwsSdkrejecting custom GCS endpoints that lack anhttps://scheme prefix (e.g. barestorage.me-central2.rep.googleapis.com), mirroring the existing handling inGCSDefaultAccessStrategy. The catch-all insetupGCSClientnow chains and logs the original exception instead of swallowing it (#2664). - Fixed Azure PUT memory leak where each PUT instantiated a fresh
BlobServiceClientwhose underlying reactor-netty stack the SDK exposes no API to release; the Azure SDKHttpClientand itsConnectionProviderare now shared across all PUTs in a session and disposed at session close, mirroring the existing S3 pattern (#2658). - Fixed
SFResultJsonParser2Failed: invalid escaped unicode characterwhen a chunked JSON result contained UTF-16 surrogate-pair\uescapes (e.g. emoji) and the read buffer happened to split exactly 9 bytes after\u; the off-by-one boundary guard inResultJsonParserV2now reserves the full 10 bytes a surrogate pair requires (#2660). - Fixed (by removing) stale
com.amazonaws.util.Base16/Base64bytecode references from the shaded JAR by excluding deadSFBinaryandSFBinaryFormatclasses from the bundledsnowflake-commonartifact. Security scanners shold no longer flagsnowflake-jdbc-thinas containing AWS SDK v1 references. (#2665). - Bumped grpc-java to 1.82.0 from 1.81.0 (#2663).
- Fixed GCS-backed internal stage PUT failing with opaque
-
v4.3.0
- Bumped AWS SDK from 2.37.5 to 2.45.1, which transitively brings netty up to 4.1.133.Final and resolves a cluster of High/Medium netty CVEs (HTTP request smuggling, CRLF injection, data amplification, resource allocation) flagged by Snyk against
netty-nio-clientinthin_public_pom.xml(#2654). - Bumped jackson to 2.18.7 to address two High-severity resource-exhaustion CVEs in jackson-core 2.18.4.1, and added a
.snykpolicy file with justified ignores for the dual-licensedjavax.servlet-api/javax.annotation-apifindings and the tika-core XXE (SNYK-JAVA-ORGAPACHETIKA-14188255), which has no Java-8-compatible fix and is not reachable through the driver's only Tika caller (#2654). - Fixed OAuth token requests sending
scope=session:role:nullwhen no scope is configured (or scope is empty/blank); thescopeparameter is now omitted entirely in those cases (#2646). - Fixed Okta native SSO federated login sending malformed JSON to
/api/v1/authn(HTTP 400 from Okta) when the username or password contained JSON-special characters such as double quotes or backslashes; the request body is now serialized with Jackson instead of string concatenation. - Added one in-band telemetry record per successful login describing which connection-identifier fields the user supplied (
account_provided,account_with_region,account_org_provided,region_provided,host_provided). No hostname or account value is included. This is gated by the existing server-sideCLIENT_TELEMETRY_ENABLEDparameter and can additionally be disabled locally by settingSF_TELEMETRY_DISABLE_CONNECTION_SHAPE=true. The telemetry collection is time-boxed and will be removed in a future release. - Fixed
SnowflakeChunkDownloaderper-chunk metrics log misattributing the response body transfer toparseTime:getResultStreamProvider().getInputStream()returns once headers come back and streams the body lazily during the parser'sread()calls, so the old code billed only HTTP/TLS setup todownloadTimeand the entire body read+parse toparseTime. When the metrics logger is atFINE/debug level, the InputStream is now wrapped in aTimingInputStreamthat accumulates time blocked insideread(), sodownloadTimereflects true network read time andparseTimereflects only CPU parse cost; at higher log levels the original stream is used unchanged to avoid the per-read()overhead (#2640). - Fixed
Connection.isValid()silently swallowing thread interruption: when the underlying heartbeat is interrupted, the connection's interrupt flag is now restored viaThread.currentThread().interrupt()so connection pools and Thread shutdown mechanisms can react to the interruption (#2314). - Fixed non-retryable HTTP 400 response bodies always being logged as
"Failed to read content due to exception: Attempted read from closed stream". The response entity is now buffered beforeRestRequest#checkForDPoPNonceErrorandSnowflakeUtil#logResponseDetailsconsume it so both readers see the body (#2631). - Added defense-in-depth canonical-path validation in the S3, Azure, and GCS download clients to ensure resolved local download paths cannot escape the user's GET target directory via traversal segments, absolute paths, or symlink redirection (#2623).
- Fixed path traversal via server-controlled filenames in
SnowflakeFileTransferAgentGET destination filename derivation; backslash separators are now stripped and traversal/absolute basenames are rejected (#2622). - Further changes regarding auto-configuration (
jdbc:snowflake:autostyle connection config) (#2625):- Fixed bug leading to
'Connection property specified more than once: DB'error, when bothconnections.toml(database) and JDBC URL (db) defined database - Enhancement: now parameters passed as
Properties()are also considered when building connection. For conflicting items defined in multiple places, priority is: Properties > JDBC URL >connections.toml - Enhancement (supportability): added provenance tracking for config keys and log them once per connection on debug level
- Fixed bug leading to
- Fixed IllegalStateException when creating new Snowflake connections during JVM shutdown (SIGTERM); HeartbeatRegistry now skips heartbeat registration gracefully instead of throwing (#2617).
- Fixed auto-config debug log messages (provenance, TOML parsing) not appearing in
client_config_file-governed log file; messages are now replayed after logger initialization so they reach the FileHandler (#2632). - The AWS S3 client now reuses a per-session shared Netty
SdkEventLoopGroup, torn down once at session close, eliminating Netty's 2 sshutdownGracefullyquiet period previously paid on every per-PUT/GET client close (#2620). - Bumped netty to 4.1.135.Final which addresses several vulnerabilities (#2655).
- Fixed inverted null check in
CredentialManager.updateInputWithTokenAndPublicKeythat prevented DPoP bundled access tokens loaded from the credential cache from being applied to the login input (#2650). - Fixed
Connection.setCatalogandConnection.setSchemaproducing malformed SQL (or switching to an unintended database/schema) when the supplied name contained an embedded"character; the name is now escaped per the SQL-standard quoted-identifier rule before being interpolated into theUSEstatement (#2651). - Switched AWS Workload Identity Federation attestation from a SigV4-presigned
GetCallerIdentityrequest to STSGetWebIdentityToken, returning a signed JWT directly. (#2653)
- Bumped AWS SDK from 2.37.5 to 2.45.1, which transitively brings netty up to 4.1.133.Final and resolves a cluster of High/Medium netty CVEs (HTTP request smuggling, CRLF injection, data amplification, resource allocation) flagged by Snyk against
-
v4.2.0
- Extended the
SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATIONenvironment variable to also bypass permission verification on theconnections.tomlconfig file and on the credential cache file (credential_cache_v1.json), unblocking driver use in SPCS environments where strict 0600/0700 ownership cannot be guaranteed (#2614) - Fixed NPE in
RestRequest.sendIBHttpErrorEventwhenSFSession.getTelemetryClient()returns null because the session URL is not yet set; aNoOpTelemetryClientis now returned instead, allowing the original HTTP error to be surfaced to the caller (#2610) - Added support for attaching the SPCS service-identifier token (
SPCS_TOKEN) to login requests when the driver is running inside an SPCS container (gated on theSNOWFLAKE_RUNNING_INSIDE_SPCSenvironment variable; token read from/snowflake/session/spcs_token) (#2603) - Added libc family and version detection (
LIBC_FAMILY,LIBC_VERSION) to theCLIENT_ENVIRONMENTsection of the login request on Linux (#2596) - Fixed NPE in
SFTrustManager.validateRevocationStatusMainwhen the OCSP cache contains a non-SUCCESSFUL response (e.g.unauthorized(6)); the response is now surfaced as anSFOCSPExceptionso cache eviction and fail-open run normally (#2597) - Added IPv6 support for cloud metadata services so Workload Identity Federation and platform detection work on IPv6-only instances (#2586):
- GCP WIF attestation now uses hostname
metadata.google.internalinstead of the IPv4 link-local address. - EC2 instance detection probes the IPv4 and IPv6 IMDS endpoints (
[fd00:ec2::254]) in parallel so detection succeeds on IPv6-only instances without doubling the detection budget on dual-stack hosts.
- GCP WIF attestation now uses hostname
- Added
enableCopyResultSetconnection property (defaultfalse): whentrue,Statement.execute()exposes the COPY INTO per-file metadata result set viagetResultSet()instead of consuming it internally (#2592) - Migrated CI test images from CentOS 7 (EOL) to Rocky Linux 8 (#2578)
- Fixed NPE "The URI scheme of endpointOverride must not be null" happening during file transfer (e.g. PUT) in some use-cases (#2572)
- Fixed connections.toml auto-configuration behaviour (#2591):
- now defaulting to port 443 instead of 80 when neither port nor protocol is specified
- config coming from the JDBC connection string are no longer ignored when auto-configuration sourced items also present (when both present, direct connection config takes precedence)
- Fixed protocol field in connections.toml being ignored, causing connections to always use HTTPS (#2585)
- Fixed SecurityException on credential cache file ownership check in containers where JVM returns '?' for user.name (#2600).
- Fixed credential cache delete operations ignoring clientStoreTemporaryCredential=false setting (#2600).
- Fixed S3 transfer thread pool leak during repeated PUT/GET operations causing possible OOM (#2602).
- Bumped BouncyCastle to 1.84 to address CVE-2026-0636, CVE-2026-5588, and CVE-2026-5598 (#2593).
- Added
workloadIdentityAwsExternalIdconnection property to support AWS STS external ID in Workload Identity Federation role-chaining flows (#2565). - Bumped grpc-java to 1.81.1 now that they also upgraded to netty 4.1.132.Final as the second part of PR 2561, and also netty itself to 4.1.133.Final to address several CVE (#2611).
- Extended the
-
v4.1.0
- Added warning about using plain HTTP OAuth endpoints (#2556).
- Fix initializing ObjectMapper when DATE_OUTPUT_FORMAT is specified (#2545).
- Fix Netty native library conflict in thin JAR (#2559)
- Bumped netty to 4.1.132.Final to address CVE-2026-33870 (High) and CVE-2026-33871 (High) (#2561)
- Added getRole, getWarehouse and getDatabase API extension methods (#2564)
- Fix driver failure when security manager prohibits access to system properties, environment variables and modifying security providers (#2563)
- Removed the io.netty.tryReflectionSetAccessible system property setting as it's no longer needed with modern Arrow/Netty versions (#2563)
- Fixed crash in getColumns operation when table contained unrecognised column type (#2568).
- Fixed session expiration when multiple sessions have different heartbeat intervals (#2566).
- Merge QueryContext from failed query responses (#2570)
-
v4.0.2
- Fix expired session token renewal when polling results (#2489)
- Fix missing minicore async initialization that was dropped during public API restructuring in v4.0.0 (#2501)
- Adjust level of logging during Driver initialization (#2504)
- Add sanitization for nonProxyHosts RegEx patterns (#2506)
- Fix bug with malformed file during S3 upload (#2502)
- Added periodic closure of sockets closed by the remote end (#2481).
- Add internal API usage telemetry tracker (#2509)
- Change S3 Client's multipart threshold to 16MB (#2526)
- Fixed fat jar with S3 iteration, the problem of not finding class
software.amazon.awssdk.transfer.s3.internal.ApplyUserAgentInterceptor(#2519). - Removed Conscrypt from shading to prevent
failed to find class org/conscrypt/CryptoUpcallsnative error (#2519). - Add logging implementation to CLIENT_ENVIRONMENT telemetry (#2527)
- Fix NPE when HOME directory cache is not available (#2534)
- Bumped
commons-compressdependency to latest (1.28.0) to address CVE-2024-25710 and CVE-2024-26308 (#2538) - Add SLF4J bridge from shaded dependencies to
SFLogger(#2543) - Fixed proxy authentication when connecting to GCP (#2540)
- Fixed bug where called-provided schema was ignored in getStreams() (#2546)
- Fixed S3 error handling manifested with
NullPointerException(#2550)
-
v4.0.1
- Add /etc/os-release data to Minicore telemetry (#2470)
- Fix incorrect encryption algorithm chosen when a file was put to S3 with client_encryption_key_size account parameter set to 256 (#2472)
- Fixed fat jar with S3 iteration, the problem of not finding class
software.amazon.awssdk.transfer.s3.internal.ApplyUserAgentInterceptor(#2474). - Removed Conscrypt from shading to prevent
failed to find class org/conscrypt/CryptoUpcallsnative error (#2474). - Update BouncyCastle dependencies to fix CVE-2025-8916 CVE-2025-8885 (#2479)
- Fix external browser authentication after changing enum name. Manifested with
Invalid connection URL: Invalid SSOUrl founderror (#2475). - Rolled back external browser authenticator name to
externalbrowser(#2475).
Due to some underlying issues, Snowflake recommends that AWS and Azure customers do not upgrade to this version if you use PUT or GET queries. Instead, Snowflake recommends that you upgrade directly to version 4.0.1. If you have already upgraded to this version, please upgrade to version 4.0.1 as soon as possible.
-
v4.0.0
- Bumped netty to 4.1.130.Final to address CVE-2025-67735 (#2447)
- Fix OCSP HTTP client cache to honor per-connection proxy settings (#2449)
- Mask secrets in exception logging (#2457)
- Fix NPE when sending in-band telemetry without HTTP response (#2460)
- Migrate from AWS SDK v1 to AWS SDK v2 (#2385 #2393)
- Return column_size value in database metadata commands as in JDBC spec (#2418)
- Migrate Azure storage from v5 to v12 (#2417)
- Enable bundled BouncyCastle for private key decryption by default (#2452)
- Rename BouncyCastle JVM property from net.snowflake.jdbc.enableBouncyCastle to net.snowflake.jdbc.useBundledBouncyCastleForPrivateKeyDecryption (#2452).
- Major public API restructuring: move all public APIs to net.snowflake.client.api.* package hierarchy (#2403):
- Add new unified QueryStatus class in public API that replaces the deprecated QueryStatus enum and QueryStatusV2 class.
- Add new public API interfaces for stream upload/download configuration (DownloadStreamConfig, UploadStreamConfig).
- Add SnowflakeDatabaseMetaData interface to public API for database metadata operations.
- Add SnowflakeAsyncResultSet interface to public API for async query operations.
- Add SnowflakeResultSetSerializable interface to public API.
- Deprecate net.snowflake.client.jdbc.SnowflakeDriver in favor of new net.snowflake.client.api.driver.SnowflakeDriver.
- Move internal classes to net.snowflake.client.internal.* package hierarchy.
- Removed deprecated com.snowflake.client.jdbc.SnowflakeDriver class.
- Removed deprecated QueryStatus enum from net.snowflake.client.core package.
- Removed deprecated QueryStatusV2 class from net.snowflake.client.jdbc package.
- Removed deprecated SnowflakeType enum from net.snowflake.client.jdbc package.
-
v3.28.0
- Ability to choose connection configuration in auto configuration file by a parameter in JDBC url. (#2369)
- Bumped grpc-java to 1.77.0 to address CVE-2025-58057 from transient dep (#2415)
- Fix Connection and socket timeout are now propagated to HTTP client (#2394).
- Fix Azure 503 retries and configure it with the putGetMaxRetries parameter (#2422).
- Improved retries for SSLHandshakeException errors caused by transient EOFException (#2423)
- Introduced shared library(source code) for extended telemetry to identify and prepare testing platform for native rust extensions (#2430)
- Bumped netty to 4.1.128.Final to address CVE-2025-59419 (#2389)
-
v3.27.1
- Added platform detection on login to set PLATFORM metric in CLIENT_ENVIRONMENT (#2351)
- Disable DatabaseMetaDataLatestIT::testUseConnectionCtx test (#2367)
- Fix IT tests to construct OAuth scopes correctly (#2366)
- Fix exponential backoff retry time for non-auth requests (#2370)
- Upgrade aws-sdk to 1.12.792 and add STS dependency (#2361)
- Add rockylinux9 CI tests as part of RHEL 9 support (#2368)
- Bumped grpc-java to 1.76.0 to address CVE-2025-58056 from transient dep (#2371)
- Added
workloadIdentityImpersonationPathconfig option forauthenticator=WORKLOAD_IDENTITYallowing workloads to authenticate as a different identity through transitive service account impersonation (#2348) - Added support for authentication as a different identity through transitive IAM role impersonation for AWS (#2364)
- Add AWS identity detection with ARN validation (#2379)
-
v3.27.0
- Added the
changelog.ymlGitHub workflow to ensure changelog is updated on release PRs (#2340). - Added HTTP 307 & 308 retries in case of internal IP redirects (#2344)
- Make PAT creation return
ResultSetwhen usingexecutemethod (#2343) - Renamed CRL_REVOCATION_CHECK_MODE to CERT_REVOCATION_CHECK_MODE in CLIENT_ENVIRONMENT metrics (#2349)
- Test coverage for multistatement jdbc (#2318).
- Fixed permission check for .toml config file (#2270).
- Bumped netty to 4.1.127.Final to address CVE-2025-58056 and CVE-2025-58057 (#2354)
- Add support for x-snowflake-session sticky HTTP session header returned by Snowflake (#2357)
- Added support for Interval Year-Month and Day-Time types in JDBC (#2345).
- Added support for Decfloat types in JDBC (#2329, #2332).
- Fixed pattern search for file when QUOTED_IDENTIFIERS_IGNORE_CASE enabled (#2333)
- Added support for CRL (certificate revocation list) (#2287).
- Added the