You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
databricks-sql-connector 4.2.6 currently requires thrift >=0.22.0, <0.23.0, which prevents downstream consumers from picking up the security fix. The thrift 0.23.0 Python library has no breaking API changes -- it adds security hardening (recursion depth limits, payload size limits) and drops EOL Python versions.
Requests:
Short-term: Widen the pin in the current codebase to thrift >=0.22.0, <0.24.0 to allow 0.23.0
Release: Publish a new version (4.2.7 or 4.3.0) to PyPI so downstream consumers can resolve the CVEs
Many enterprise users are blocked on security scan SLAs and cannot remediate until this is unblocked. Thrift 0.23.0 is also not yet on PyPI, but once it is, having the pin already widened would unblock everyone immediately.
Apache Thrift 0.23.0 was released on April 27, 2026 and fixes 6 High-severity CVEs (CVE-2026-41636, CVE-2026-41605, CVE-2026-41604, CVE-2026-41603, CVE-2026-41602, CVE-2025-48431). All prior versions are affected.
databricks-sql-connector 4.2.6currently requiresthrift >=0.22.0, <0.23.0, which prevents downstream consumers from picking up the security fix. The thrift 0.23.0 Python library has no breaking API changes -- it adds security hardening (recursion depth limits, payload size limits) and drops EOL Python versions.Requests:
thrift >=0.22.0, <0.24.0to allow 0.23.0Many enterprise users are blocked on security scan SLAs and cannot remediate until this is unblocked. Thrift 0.23.0 is also not yet on PyPI, but once it is, having the pin already widened would unblock everyone immediately.
Related: #695, PR #733