TigerGraph DB Release Notes
TigerGraph Server 4.3.0-rc1 Preview was released on July 8, 2026.
|
TigerGraph 4.3.0-rc1 is the first release candidate (rc) preview build of TigerGraph 4.3.0. TigerGraph 4.3’s feature set builds upon the capabilities introduced in 4.2.2. |
Key New Features
-
Mutual TLS (mTLS) Authentication: Enables both the client and server to authenticate each other using certificates, improving connection security for external applications and services.
-
Kerberos SSO Authentication: Enables Single Sign-On (SSO) using Kerberos for seamless and secure user authentication.
-
Supports ticket-based authentication using Kerberos
-
Integrates with existing SSO configurations alongside SAML and OIDC
-
Supports role mapping using proxy groups for flexible access control
-
-
NULL Value Support: Allows vertex and edge attributes defined as
NULLABLEto acceptNULLvalues.-
Enables loading of
NULLvalues for primitive and collection data types -
Supports
NULLvalue ingestion through loading jobs and DML statements -
Allows
NULLvalues to be returned in query results
-
-
Load Data from Apache Iceberg (Preview): Load data from Iceberg-based data lakehouses using a built-in connector with support for Iceberg REST Catalogs and S3 or MinIO storage backends.
-
Proxy User Management: Proxy users can now be explicitly created, dropped, and listed, rather than being created implicitly at first login. This allows administrators to pre-provision and manage proxy user accounts as part of standard user lifecycle management.
-
Audit Log Improvements: Enhances GSQL audit logging for easier parsing and traceability.
-
Adds
System.Audit.DiscreteJsonFormatto print each entry as a standalone JSON object for easier parsing -
Adds new fields for actions, objects, graphs, and REST/GSQL request details
-
Removes
databaseNamefrom the log header by default, with an option to re-enable it
-
Detailed List of New and Modified Features
System Management Enhancements
-
Improved proxy user management by introducing support to create, drop, and view proxy users directly, providing better control over externally authenticated users.
-
New open metric
tigergraph_license_days_leftfor days remaining until license expiration. -
Added support for Amazon Linux 2023 and Ubuntu 24.04.
-
Installation on Ubuntu 24.04 and later requires the
binutilspackage.
-
-
GSQL audit-log improvements with new configuration
System.Audit.DiscreteJsonFormatand additional log fields (actionType, objectType, graphName). -
Enhanced audit logs by adding a
durationfield to record the execution time of GSQL operations and introducing audit log entries for user logout events initiated from GSQL Shell and GraphStudio. -
Increased the default maximum HTTP request header size from 20 KB to 64 KB to better support large request headers (such as LDAP/SSO scenarios). The new configuration parameter
GSQL.MaxHttpRequestHeaderSizeKBallows customization.-
When set to
0(default), the system uses the default value of 64 KB. -
Requests exceeding the configured limit now return HTTP status
431 Request Header Fields Too Largeinstead of400 Bad Request.
-
-
Query installation logs now include a completion summary, elapsed time, and a failure report listing any skipped or failed queries. These logs are also shown during a TigerGraph upgrade.
-
Added support for IAM role-based authentication and region-aware AWS S3 backup and restore.
-
New configuration parameter
System.Backup.S3.IAMAuthenables authentication using an AWS EC2 Instance Profile for S3 backup and restore as an alternative to access keys. -
New configuration parameter
System.Backup.S3.Regionspecifies the AWS Region used to sign requests to the S3 bucket. This value should match the Region where the S3 bucket is located.
-
Security and Access Control Enhancements
-
Mutual TLS (mTLS) Authentication enables certificate-based mutual authentication between clients and the server, strengthening connection security for external applications and services.
-
Added Kerberos as an SSO authentication option, alongside existing SAML, OIDC, and LDAP methods. Added a new endpoint
GET /gsql/v1/sso/authnrequestto retrieve available SSO authentication methods. -
S3 Authentication via AWS Role ARN: Added support for AWS Role Assumption when writing query output to S3 storage, enabling authentication via the
s3_assume_rolesession parameter as an alternative to AWS access keys. -
ACL privilege migrations are prevented if the ACL catalog contains the query contents.
-
SAML SSO now supports full X.509 certificate chains for both Service Provider (SP) and Identity Provider (IdP) certificates. Certificate chains can include server, intermediate, and root certificates in a single uploaded file.
Output to Cloud Enhancements
-
Writing query output to S3-compatible storage (such as Ceph, MinIO, and Wasabi) is now supported using a configurable
s3_endpoint, enabling integration with non-AWS storage systems. -
Added support for specifying the S3 region using the
s3_regionsession parameter when writing query output to S3-compatible storage.
API Enhancements
-
Added a REST endpoint
GET /gsql/v1/schema/versionto retrieve the current committed schema version. The endpoint returns the latest schema version as an integer. -
RESTPP endpoints
/query_status,/query_result,/showprocesslist/{graph_name}, and/showprocesslistallnow report query status and results across all server nodes in a distributed cluster, not just the node receiving the request. Use the optionaldisallow_redirectparameter to query only the local node, if desired. -
Added a new Informant endpoint
GET /informant/licenseinfoto retrieve license information and usage. -
Added a new query routing mode `RESTPP.QueryRouting.Mode = 2 `(LocalGPE) to route RESTPP requests directly to the co-located GPE on the same node. This reduces latency for high-QPS workloads by removing an extra network hop.
Query Language Enhancements
-
INTERPRET QUERY
-modeoption: Added support for a-modeoption to control how interpreted queries are executed.-
instruction: Uses a faster execution engine (may not support all features) -
legacy: Uses the original engine with full feature support -
debug: Generates debug files for troubleshooting
-
By default, TigerGraph automatically selects the appropriate mode.
-
Configuration parameter
GSQL.AllowInterpretedQueriesallows enabling or disabling interpreted queries, helping enforce an installed-queries-only policy in production environments. -
Bitwise Accumulators: Added support for dynamic-length BitwiseAccums, allowing lengths to be defined using query parameters or variables. Also introduced a
.clear()function for improved memory management during query execution. -
File objects can now be created with an optional file permission parameter, allowing users to specify permissions using a Linux octal-encoded file permission code.
Data Streaming/Connector Enhancements
-
Load data from Apache Iceberg (Preview) enables loading data from Iceberg-based data lakehouses using SQL-based queries and REST catalog integration.
-
Added new SSL keystore configurations(ssl.keystore, ssl.keystore.type, ssl.keystore.password) for the Spark Connector.
-
Spark Connector now supports direct upsert of vertices and edges from a Spark DataFrame, without the need to define a GSQL loading job.
GraphStudio, Admin Portal, and Insights
-
Updated access control for the Query Monitoring page to use privilege-based access instead of role-based access.
-
READ_DATAprivilege controls query visibility across all or specific graphs; users without access see an appropriate error message. -
Users with
DELETE_DATAprivilege can abort queries running on a graph.
-
Fixed issues
Fixed and Improved in 4.3.0
Functionality
-
Fixed incorrect latency values in RESTPP logs when a request returned an error (CORE-5046).
-
Fixed an issue where the username was not displayed on the home page after SSO login (APPS-4376).
-
Fixed an issue where
/query_status,/query_result,/showprocesslist/{graph_name}, and/showprocesslistalldid not return complete results when requests were routed to different RESTPP nodes in a cluster (CORE-5200). -
Fixed an issue where style configuration and the detail panel did not update correctly after selecting a vertex in GraphStudio Explore Graph (APPS-4369).
-
Fixed an issue where upgrade runtime logs displayed misleading completion messages before the upgrade process had fully completed (TP-8429).
-
Fixed an issue where GUI CORS settings could not be configured from the Admin Portal (APPS-3602).
-
Fixed an issue where tooltips in GraphStudio could be partially hidden when hovering near the edge of the viewport (APPS-4378).
-
Fixed an issue where log access in the Admin Portal required both
APP_ACCESS_LOGandAPP_ACCESS_DATAprivileges instead ofAPP_ACCESS_LOGexclusively (APPS-3253). -
Fixed an issue where binary files were written during segment rebuild even when the segment had already been deleted (CORE-4578).
-
Fixed an issue where repeated backups took progressively longer despite minimal data growth, caused by inefficient processing of schema changes (CORE-5000).
-
Fixed an issue where failure signal handling in engine services prevented expected core dump generation (CORE-5061).
-
Fixed an issue where partition configuration recovery could result in schema inconsistencies when
config.yamlwas missing but segment data existed (CORE-5322). -
Fixed an issue where schema change validation failures provided unclear error messages during DSCDrain or DSCValidation (GLE-9913).
-
Fixed an issue where certain
PRINT TO_CSVsyntax patterns were not supported when printing query results (GLE-10524). -
Fixed an issue where Kafka retention could be blocked by a remote segment associated with a deleted vertex type (CORE-5409).
-
Fixed an issue where password policies intended for native users were incorrectly enforced on LDAP proxy users (GLE-9533).
-
Added the
Security.JWT.JWKS.URLconfiguration parameter to fetch JWT certificates using the Key ID (kid) from a JWKS URL, ensuring compliance with the JWKS standard (GLE-10289). -
Fixed an issue where
LastSuccessLoginandNextValidLoginwere not updated after successful authentication of LDAP proxy users (GLE-10646). -
Fixed an issue where Spark JDBC connections could experience unexpected socket timeouts when
queryTimeoutwas not passed to the TigerGraph JDBC driver (TP-8385). -
Fixed an issue where requests on port
14240could not be routed directly to a specific RESTPP node when direct node-level access was required (TP-9166). -
Fixed an issue where certain upgrade validation checks were performed after upgrade instead of during pre-upgrade checks (GLE-10562).
-
Fixed an issue that caused intermittent errors during legacy token validation (GLE-11683).
-
Fixed an issue where token generation could become unresponsive during schema change operations by optimizing the workflow (GLE-11699).
-
Fixed an issue where the system would throw a
NullPointerExceptionand fail to create or install a query during code validation (GLE-10502).
Improvements
-
Improved security for namespace-scoped TigerGraph Operator installations by separating required cluster roles and namespace roles (TP-7857).
-
Improved file permission handling by supporting string literals in file variable declarations used with
PRINT TO_CSV(GLE-10956).
Security
-
Refined loading job summary output by replacing detailed error information with line numbers for invalid entries (TP-8628).
-
Improved configuration security by masking AWS credential values in
gadminoutputs (TP-8533). -
Third-party Vulnerabilities NOT impacting TigerGraph:
Fixed the following security vulnerabilities: CVE-2024-31033, CVE-2024-6763, CVE-2024-8184, CVE-2024-9823, CVE-2025-11143, CVE-2025-67030, CVE-2025-67721, CVE-2025-68161, CVE-2026-1002, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-22732, CVE-2026-22735, CVE-2026-22737, CVE-2026-2332, CVE-2026-24051, CVE-2026-24281, CVE-2026-24308, CVE-2026-24734, CVE-2026-24880, CVE-2026-25679, CVE-2026-25854, CVE-2026-27139, CVE-2026-27142, CVE-2026-27145, CVE-2026-29145, CVE-2026-29146, CVE-2026-29181, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-3293, CVE-2026-32990, CVE-2026-33186, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-33870, CVE-2026-33871, CVE-2026-34268, CVE-2026-34282, CVE-2026-34478, CVE-2026-34480, CVE-2026-34483, CVE-2026-34487, CVE-2026-34500, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-39883, CVE-2026-41284, CVE-2026-41293, CVE-2026-41417, CVE-2026-42198, CVE-2026-42498, CVE-2026-42499, CVE-2026-42504, CVE-2026-42507, CVE-2026-42577, CVE-2026-42578, CVE-2026-42579, CVE-2026-42580, CVE-2026-42581, CVE-2026-42583, CVE-2026-42584, CVE-2026-42585, CVE-2026-42587, CVE-2026-42945, CVE-2026-43512, CVE-2026-43513, CVE-2026-43514, CVE-2026-43515, CVE-2026-44249, CVE-2026-45205, CVE-2026-45416, CVE-2026-45536, CVE-2026-45673, CVE-2026-45674, CVE-2026-47244, CVE-2026-47691, CVE-2026-48043, CVE-2026-50010, CVE-2026-50020, CVE-2026-50560, CVE-2026-54512, CVE-2026-54513, CVE-2026-54514, CVE-2026-54515, and CVE-2026-6860.
Third-party Vulnerability impacting TigerGraph: None
Known Issues and Limitations
| Description | Found In | Workaround | Fixed In |
|---|---|---|---|
If a non-procedural query has a syntax error, the GSQL interpreter ignored the invalid portion and executed the partial query before the error, without raising an error. |
4.2.0 |
Check the full query before accepting it. |
4.2.1 |
A NullPointerException occurs when performing a code check for queries using statements other than a = vt.* or a = {vt.*}, causing query creation to fail. |
4.1.3 |
TBD |
TBD |
When |
4.1.3 |
TBD |
TBD |
After upgrading, the system fails to detect |
4.1.3 |
TBD |
TBD |
When using |
4.1.3 |
TBD |
TBD |
Using |
4.1.3 |
Move the |
TBD |
After a cluster expansion, the GPE service may remain in the warmup state. |
4.1.1 |
If this happens, run |
TBD |
The |
4.1 |
Use legacy methods for access control: Define separate graphs which span the same data but have different queries and users. |
TBD |
If a RESTPP request is for a graph operation and thus sent to the GPE then fails inside the GPE, the RESTPP will interpret the response from the GPE as success and report SUCCEED in the audit log. |
4.1 |
Use a |
TBD |
When upgrading, possible permission error for destination folder. |
3.10.1 |
Manually grant permission to |
TBD |
Export does not include LDAP proxy groups |
3.9+ |
Manually recreate the proxy groups on the imported database. |
Compatibility Issues
|
These Release Notes describe changes in this release. For upgrade checks across versions, see the Compatibility and Migration pages. |
| Description | Version Introduced |
|---|---|
Many REST API endpoints were updated, including consolidation, path prefix changes, and token authentication support. See the REST API reference page. |
v4.1.0 |
To apply a File Input Policy or File Output Policy change, now both |
v4.1.3, v4.2.0 |
The |
v4.2.0 |
In CDC messages, the format of tuple values has changed. |
v4.2.0 |
SelectVertex() may not be used with a relative filepath but previously this was not enforced. It is now enforced. |
v4.2.0 |
The 'graph' field is now included in CDC messages generated by the TigerGraph CDC service. |
v3.11.0, v4.1.1 |
In CDC messages, the format of map values has changed. |
v3.11.0, v4.1.1 |
A full export package now includes access policies and template queries. |
v4.1.0 |
Users could encounter file input/output policy violations when upgrading a TigerGraph version. See Input policy backward compatibility. |
v3.10.0 |
When a PRINT argument is an expression, the output uses the expression as the key (label) for that output value.
To better support Antlr processing, PRINT now removes any spaces from that key. For example, |
v3.9.3+ |
Betweenness Centrality algorithm: |
v3.9.2+ |
For vertices with string-type primary IDs, vertices whose ID is an empty string will now be rejected. |
v3.9.2+ |
The default mode for the Kafka Connector changed from EOF="false" to EOF="true". |
v3.9.2+ |
The default retention time for two monitoring services |
v3.9.2+ |
The filter for |
v3.9.2+ |
Some user-defined functions (UDFs) may no longer be accepted due to increased security screening.
|
v3.9+ |
Deprecations and Removals
| Description | Deprecated | Removed |
|---|---|---|
The |
3.9.2 |
4.2.0 |
Streaming connector for external Kafka (3.6 to 3.9.2 version) |
3.9.3 |
4.2.0 |
The format for tuple structures in CDC messages will change in a future version. The future format is likely to be similar to the new format for maps. |
4.1.1 |
4.2 |
Access Control Lists (ACLs) are no longer supported. When upgrading from 3.x to 4.x, ACL privileges will be automatically migrated to object-based privileges. |
4.1.0 |
4.1.0 |
The use of plaintext tokens in authentication is deprecated. Use OIDC JWT Authentication instead. |
3.10.0 |
TBD |
Vertex-level Access Control (VLAC) and VLAC Methods are removed and are no longer available. |
3.10.0 |
4.1.0 |
The command |
3.7 |
3.10 |
Spark Connection via JDBC Driver is now deprecated and will no longer be supported. |
3.10.0 |
TBD |
|
3.9.3 |
TBD |
Kubernetes classic mode (non-operator) is deprecated. |
3.9 |
TBD |
The |
3.7 |
4.1 |