On this page 
Technical advisories report major issues with CockroachDB or the CockroachDB Cloud platform that may impact security or stability in production environments.
Users are invited to evaluate advisories and consider the recommended mitigation actions independently from their version upgrade schedule.
Get future technical advisories emailed to you:
| Advisory | Summary | Affected versions | Date |
|---|---|---|---|
| A-133479 | Diagnostics reporting, if enabled for a cluster, may have sent OIDC credentials stored in cluster settings to a secure, limited access Cockroach Labs telemetry database. The payload would have contained a unique cluster ID, and no publicly identifiable customer information. | v20.2, v21.1, v21.2, v22.1, v22.2, v23.1.0 to v23.1.28, v23.2.0 to 23.2.13, v24.1.0 to v24.1.6, v24.2.0 to v24.2.4, v24.3.0-alpha.1+ | October 25, 2024 |
| A-131639 | During a sustained period of disk slowness in the presence of lease transfers, it is possible for some writes in a transaction that straddle multiple ranges to be lost. | v22.2, v23.1.0 to v23.1.26, v23.2.0 to v23.2.10, v24.1.0 | October 8, 2024 |
| A-122372 | Changefeeds could emit events on the same row out of order in some cases. | v23.1, v23.2.0 to v23.2.9, v24.1.0 to v24.1.3, and testing versions of v24.2 through v24.2.0-beta.3 | September 3, 2024 |
| A-123371 | Changefeeds could drop events during the initial scan in some cases, causing changefeed consumers to receive incomplete data. | v22.2, v23.1.0 to v23.1.21, v23.2.0 to v23.2.5, and testing versions of v24.1 through v24.1.0-rc.1 | June 17, 2024 |
| A-104309 | In rare cases, a rangefeed bug may cause a checkpoint to be emitted prematurely, before all writes below the checkpoint timestamp have been emitted. | v2.1.11 to v22.2.17, v23.1.0 to v23.1.14, v23.2.0 | February 21, 2024 |
| A-114393 | A bug could cause a query plan to skip scanning rows from the local region when performing a lookup join with a REGIONAL BY ROW table as the input. | v23.1.0 to v23.1.12, and pre-release versions v23.1.0-beta.1, v23.1.0-beta.2, v23.1.0-beta.3, v23.1.0-rc.1, and v23.1.0-rc.2 | December 5, 2023 |
| A-190483 | Queries reading a table that uses at least one explicit column family in its definition and was restored from a backup using version v22.2.7 to v22.2.13 or v23.1.0 to v23.1.8 may return errors or incorrect results. | v22.2.7 to v22.2.13, v23.1.0 to v23.1.8 | September 22, 2023 |
| A-110363 | Clusters using row-level TTL and upgraded from v22.2.x to 23.1.9 may experience nodes crashing due to the erroneous deletion of a necessary metadata field. | Clusters running v22.2.x upgrading to v23.1.9 | September 12, 2023 |
| A-106617 | When the encryption-at-rest registry rolls over, the append-only log file contains a bug that could result in loss of the store. | v21.2.x, ≤ 22.1.21, ≤ 22.2.12, ≤ 23.1.7 | August 15, 2023 |
| A-99561 | When adding a new column using the new declarative schema changer, CockroachDB retrieves a unique secondary index mistakenly, assuming it to be a primary index. | v22.2.x, v23.1.0 to v23.1.5 | July 18, 2023 |
| A-103220 | Inserting rows into a multi-column-family table with COPY can corrupt the table, making future reads fail with internal errors. | v23.1.0-alpha.1 to v23.1.0 | May 16, 2023 |
| A-102375 | Some customers may experience spurious privilege errors when trying to run queries due to a bug in the query cache. | v22.1.19 and v22.2.8 | May 11, 2023 |
| A-101963 | In specific circumstances, a RESTORE operation may restore incorrect data from a backup that contains incorrect metadata related to revision history. | v22.2.0 to v22.2.8 and v22.1.0 to 22.1.19 | May 9, 2023 |
| A-99796 | After upgrading to CockroachDB v22.2.0-v22.2.7, a bug could cause primary index corruption when an ALTER TABLE..ADD COLUMN statement executes concurrently with an UPDATE or INSERT command, and the schema change fails and is rolled back. | v22.2.0 to v22.2.7 | April 17, 2023 |
| A-99049 | Non-admin SQL users with an authenticated HTTP session could download statement diagnostic bundles given a bundle URL from the DB Console or SQL shell with a valid HTTP session cookie. | v21.2.x, v22.1.0 to v22.1.16, v22.2.0 to v22.2.6 | March 29, 2023 |
| A-98779 | A restore job can potentially skip some data files upon resumption of an in-progress RESTORE, which could lead to missing rows after the job succeeds. |
v22.2.6 | March 29, 2023 |
| A-97932 | The SCRAM protocol had a high default hash count causing connection latency spikes for clients running on limited CPU. | v22.2.0 to v22.2.6 | March 29, 2023 |
| A-97090 | Queries planned with a zigzag join could produce incorrect results if the two indexes used for the join had a matching suffix of index key columns where the direction was different between the two indexes. | v19.1 to v22.1.15, v22.2.0 to v22.2.5 | March 6, 2023 |
| A-96924 | When executing ALTER TABLE DROP COLUMN of a column used in a partial index, all DML statements referencing the table fail with an error during the delete-only phase. | v20.2.0 to v22.1.15, v22.2.0-v22.2.5 | March 6, 2023 |
| A-93398 | Altering a non-empty table to add a column with a DEFAULT expression in which the type of the expression did not match the type of the new column could cause the column to become corrupted. |
v22.2.0-alpha.1 to v22.2.3 | March 1, 2023 |
| A-97178 | Clusters that are upgraded to v22.2.4 when a previous upgrade to v22.2.x has not been finalized exhibit a bug that prevents non-admin users from connecting to the cluster. | v22.2.4 | February 16, 2023 |
| A-96465 | The global NOSQLLOGIN privilege does not restrict SQL access as it should. | v22.2.0-v22.2.3 | February 6, 2023 |
| A-96029 | CockroachDB may display higher than expected values for histogram metrics when calculating quantiles. | v22.2.0 - v22.2.3 | January 27, 2023 |
| C20230118 | CockroachDB Cloud users with the Developer role could perform SQL admin-like operations using a specific internal DB Console API. | CockroachDB Cloud from November 2022 - January 2023 | January 18, 2023 |
| A-93314 | CockroachDB crashes when a user-defined function is created using any implicit record type which contains a column of user-defined ENUM type as the function’s parameter type or return type. | v22.2.0 and v22.2.1 | January 4, 2023 |
| A-90146 | Changefeeds using the initial_scan='only' or schema_change_policy='stop' options may incorrectly complete with a successful status under certain circumstances. | v22.1.6 to v22.1.9 | December 20, 2022 |
| A-88042 | A RESTORE of an incremental backup may include rows that should not be restored, in a narrow set of circumstances relating to an ongoing IMPORT INTO job. |
v22.1.0 to v22.1.8 and v21.2.0 to v21.2.16 | October 24, 2022 |
| A-88993 | A query with ORDER BY and LIMIT clauses could return incorrect results if it scanned a multi-column index containing the ORDER BY columns, and a prefix of the index columns was held fixed to two or more constant values by the query filter or schema. |
v22.1.0 to v22.1.8 | October 17, 2022 |
| A-88047 | Querying a REGIONAL BY ROW or partitioned multi-region table could produce incorrect results if the query has a LIMIT of less than 100,000 and uses an inverted index. |
v22.1.0 to v22.1.7 | September 29, 2022 |
| A-84144 | Multi-region tables whose locality has been altered to REGIONAL BY ROW are at risk of being corrupted |
v22.1.0 to v22.1.3 | July 19, 2022 |
| A-82576 | Adding a column to a table which references a sequence, or creating a table with columns referencing sequences, adds an incomplete back-reference to the sequence metadata. | v22.1.0 to v22.1.2 | July 18, 2022 |
| A-82079 | If a CREATE MATERIALIZED VIEW statement fails, all objects referenced in its SELECT query will be unusable. |
v21.2.0 to v21.2.12, v22.1.0 | July 18, 2022 |
| A-81448 | Secondary indexes containing columns that are not null, have a volatile default expression, and are present in one or more secondary indexes will have inconsistent values relative to the primary index, which can lead to incorrect query results. | v21.1.x, v21.2.0 to v21.2.12, v22.1.0 | June 28, 2022 |
| A-81968 | Left outer joins and correlated subqueries can produce incorrect results. | v22.1.0 | June 6, 2022 |
| A-82309 | During or after an upgrade from CockroachDB v21.2.x to v22.1.0, existing changefeeds will stop emitting data. | v22.1.0-alpha.1 to v22.1.0 | June 3, 2022 |
| A-81315 | Prepared SELECT queries that filter a column with a constant casted to the wrong type fail to return the expected results |
v21.2.0 to v21.2.10, v22.1.0-alpha.1 to v22.1.0 | May 23, 2022 |
| A-79066 | Data key rotation is inadvertently disabled if the store key hasn't changed since the last node start | All clusters with encryption-at-rest enabled running versions of CockroachDB v20.2.x, v21.1.0 to v21.1.18, and v21.2.0 to v21.2.9. | May 2, 2022 |
| A-79384 | The optimizer has been found to create logically incorrect query plans in some cases. | v21.1.0 to v21.1.17, v21.2.0 to v21.2.8, v22.1.0-alpha.1 to v22.1.0-beta.1 | April 14, 2022 |
| A-79281 | Importing duplicate keys can cause violations of UNIQUE constraints | v21.2.0 to v21.2.7, 22.1.0-alpha.1-22.1.0-alpha.5, v22.1.0-beta.1. | April 12, 2022 |
| A-78681 | The optimizer has been found to create logically incorrect query plans in some cases. | v21.1.0 to v21.1.16, v21.2.0 to v21.1.7, 22.1.0-alpha.1-22.1.0-alpha.5 | April 11, 2022 |
| A-76522 | The optimizer can omit ON conditions of joins in query plans, causing incorrect results. | v20.2.0 to v20.2.19, v21.1.0 to v21.1.15, v21.2.0 to v21.2.6 | March 9, 2022 |
| A-75758 | Users without the appropriate permissions may cancel any other users' sessions from the DB Console | v20.2.0 to v20.2.18, v21.1.0 to v21.1.13, v21.2.0 to v21.2.4 | February 10, 2022 |
| A-74736 | Queries can miss rows in a primary or unique index that is being scanned, causing incorrect query results. | v21.2.0 to v21.2.4 | February 7, 2022 |
| A-74385 | Partial indexes can be corrupted by UPDATE statements, resulting in incorrect query results for any queries that use the partial index |
v21.1 and v21.2 prior to v21.1.13 and v21.2.4 | January 6, 2022 |
| CVE-2021-44228 | No Cockroach Labs products or services are affected by the recent CVE-2021-44228 Apache Log4j vulnerability. | None | December 14, 2021 |
| A-73629 | Planning queries over partitioned tables with a DEFAULT partition in a PARTITION BY LIST clause could cause a spurious internal error |
v21.1 and v21.2 prior to v21.1.13 and v21.2.3 | December 14, 2021 |
| A-73024 | The optimizer could plan queries that use semi-joins against multi-region REGIONAL BY ROW tables incorrectly |
v21.2.0 | November 29, 2021 |
| A-72839 | Backups fail during upgrade process | v21.2.0 | November 18, 2021 |
| A-71553 | SQL statements that used secondary unique indexes that were created as a result of an ALTER PRIMARY KEY statement can return incorrect results. |
v20.2, v21.1 | November 8, 2021 |
| A-71655 | Zigzag joins could potentially produce incorrect results | v19.2, v20.1, v20.2, v21.1 | November 2, 2021 |
| A-71002 | CockroachDB v21.1.9 drops WHERE predicates from prepared statements in specific circumstances |
v21.1.9 | October 7, 2021 |
| A-69874 | CockroachDB v21.1.8 can not be downgraded | v21.1.8 | September 7, 2021 |
| A-68005 | sql.trace.txn.enable_threshold cluster setting causes crash loops |
v21.1.0 to v21.1.6 | August 20, 2021 |
| A-62842 | TRUNCATE TABLE during CREATE/ALTER INDEX can cause data corruption |
v20.2.0 to v20.2.8 | July 29, 2021 |
| A-64325 | Race condition between reads and replica removal | v20.1 and later | May 3, 2021 |
| A-63162 | Invalid incremental backups under certain circumstances | v19.1.0 to v19.1.11, v19.2.0 to v19.2.12, v20.1.0 to v20.1.14, v20.2.0 to v20.2.7 | April 30, 2021 |
| A-58932 | HTTP requests can cause full-cluster denial of service (DoS) | v19.2.0 to v19.2.11, v20.1.0 to v20.1.10, v20.2.0 to v20.2.3 | February 2, 2021 |
| A-56116 | Incorrect timezone calculations with "slim" zoneinfo format | All | October 29, 2020 |
| A-54418 | Incorrect behavior with large batch UPSERTs |
v20.1.4, v20.1.5 | September 24, 2020 |
| A-50587 | TRUNCATE prevents table renaming |
v19.1.0 to v19.1.10, v19.2.0 to v19.2.8 | July 6, 2020 |
| A-48860 | Data corruption/loss issue with snapshots and delete range | v2.1.0 to v2.1.9, v19.1.0 to v19.1.8, v19.2.0 to v19.2.6 | May 20, 2020 |
| A-44348 | Data leak in statement details | v2.1.0 to v2.1.11, v19.1.0 to v19.1.7, v19.2.0 to v19.2.3 | February 12, 2020 |
| A-44299 | Schema changes may cause cluster unavailability | v19.1.0 to v19.1.7, v19.2.0 to v19.2.3 | February 12, 2020 |
| A-44166 | SHOW JOBS and Jobs page can endanger cluster stability |
v19.2.0 to v19.2.2 | February 12, 2020 |
| A-43870 | HTTP authentication for non-Enterprise users | v2.1.10-onward, v19.1.6-onward, v19.2.2 | January 22, 2020 |
| A-42567 | HTTP endpoint vulnerability | v2.1.0 to v2.1.8, v19.1.0 to v19.1.5, v19.2.0 to v19.2.1 | January 22, 2020 |
| A-30821 | Authentication bypass for internal RPCs | v1.1.0 to v1.1.8, v2.0.0 to v2.0.4 | October 1, 2018 |
Was this helpful?
