Technical Advisory 96454

On this page Carat arrow pointing down

Publication date: February 6, 2023


The global NOSQLLOGIN privilege does not restrict SQL access as it should. This privilege is granted using GRANT SYSTEM NOSQLLOGIN TO <user> but is not properly inspected by authorization checks. The bug was introduced in v22.2.0-alpha.1.


This is resolved in CockroachDB by #96466 and backported in #96520) by fixing the logic that inspects the NOSQLLOGIN privilege.

The fix has been applied to maintenance releases of CockroachDB v22.2.4.

This public issue is tracked by


A workaround is to use the older role option syntax: ALTER ROLE <user> WITH NOSQLLOGIN. Note that unlike the global privilege, the role option does not get inherited by users who are members of the role. Users of CockroachDB v22.2.0 through v22.2.3 are encouraged to upgrade to v22.2.4 or a later version.


The NOSQLLOGIN global privilege does not correctly restrict SQL access. SQL users who should be blocked from running SQL commands are not blocked.

Questions about any technical alert can be directed to our support team.

Yes No
On this page

Yes No