TigerGraph DB Release Notes

TigerGraph Server 4.3.0-rc1 Preview was released on July 8, 2026.

TigerGraph 4.3.0-rc1 is the first release candidate (rc) preview build of TigerGraph 4.3.0. TigerGraph 4.3’s feature set builds upon the capabilities introduced in 4.2.2.

Key New Features

  • Mutual TLS (mTLS) Authentication: Enables both the client and server to authenticate each other using certificates, improving connection security for external applications and services.

  • Kerberos SSO Authentication: Enables Single Sign-On (SSO) using Kerberos for seamless and secure user authentication.

    • Supports ticket-based authentication using Kerberos

    • Integrates with existing SSO configurations alongside SAML and OIDC

    • Supports role mapping using proxy groups for flexible access control

  • NULL Value Support: Allows vertex and edge attributes defined as NULLABLE to accept NULL values.

    • Enables loading of NULL values for primitive and collection data types

    • Supports NULL value ingestion through loading jobs and DML statements

    • Allows NULL values to be returned in query results

  • Load Data from Apache Iceberg (Preview): Load data from Iceberg-based data lakehouses using a built-in connector with support for Iceberg REST Catalogs and S3 or MinIO storage backends.

  • Proxy User Management: Proxy users can now be explicitly created, dropped, and listed, rather than being created implicitly at first login. This allows administrators to pre-provision and manage proxy user accounts as part of standard user lifecycle management.

  • Audit Log Improvements: Enhances GSQL audit logging for easier parsing and traceability.

    • Adds System.Audit.DiscreteJsonFormat to print each entry as a standalone JSON object for easier parsing

    • Adds new fields for actions, objects, graphs, and REST/GSQL request details

    • Removes databaseName from the log header by default, with an option to re-enable it

Detailed List of New and Modified Features

System Management Enhancements

  • Improved proxy user management by introducing support to create, drop, and view proxy users directly, providing better control over externally authenticated users.

  • New open metric tigergraph_license_days_left for days remaining until license expiration.

  • Added support for Amazon Linux 2023 and Ubuntu 24.04.

    • Installation on Ubuntu 24.04 and later requires the binutils package.

  • GSQL audit-log improvements with new configuration System.Audit.DiscreteJsonFormat and additional log fields (actionType, objectType, graphName).

  • Enhanced audit logs by adding a duration field to record the execution time of GSQL operations and introducing audit log entries for user logout events initiated from GSQL Shell and GraphStudio.

  • Increased the default maximum HTTP request header size from 20 KB to 64 KB to better support large request headers (such as LDAP/SSO scenarios). The new configuration parameter GSQL.MaxHttpRequestHeaderSizeKB allows customization.

    • When set to 0 (default), the system uses the default value of 64 KB.

    • Requests exceeding the configured limit now return HTTP status 431 Request Header Fields Too Large instead of 400 Bad Request.

  • Query installation logs now include a completion summary, elapsed time, and a failure report listing any skipped or failed queries. These logs are also shown during a TigerGraph upgrade.

  • Added support for IAM role-based authentication and region-aware AWS S3 backup and restore.

    • New configuration parameter System.Backup.S3.IAMAuth enables authentication using an AWS EC2 Instance Profile for S3 backup and restore as an alternative to access keys.

    • New configuration parameter System.Backup.S3.Region specifies the AWS Region used to sign requests to the S3 bucket. This value should match the Region where the S3 bucket is located.

Security and Access Control Enhancements

  • Mutual TLS (mTLS) Authentication enables certificate-based mutual authentication between clients and the server, strengthening connection security for external applications and services.

  • Added Kerberos as an SSO authentication option, alongside existing SAML, OIDC, and LDAP methods. Added a new endpoint GET /gsql/v1/sso/authnrequest to retrieve available SSO authentication methods.

  • S3 Authentication via AWS Role ARN: Added support for AWS Role Assumption when writing query output to S3 storage, enabling authentication via the s3_assume_role session parameter as an alternative to AWS access keys.

  • ACL privilege migrations are prevented if the ACL catalog contains the query contents.

  • SAML SSO now supports full X.509 certificate chains for both Service Provider (SP) and Identity Provider (IdP) certificates. Certificate chains can include server, intermediate, and root certificates in a single uploaded file.

Output to Cloud Enhancements

  • Writing query output to S3-compatible storage (such as Ceph, MinIO, and Wasabi) is now supported using a configurable s3_endpoint, enabling integration with non-AWS storage systems.

  • Added support for specifying the S3 region using the s3_region session parameter when writing query output to S3-compatible storage.

API Enhancements

Query Language Enhancements

  • INTERPRET QUERY -mode option: Added support for a -mode option to control how interpreted queries are executed.

    • instruction: Uses a faster execution engine (may not support all features)

    • legacy: Uses the original engine with full feature support

    • debug: Generates debug files for troubleshooting

By default, TigerGraph automatically selects the appropriate mode.

  • Configuration parameter GSQL.AllowInterpretedQueries allows enabling or disabling interpreted queries, helping enforce an installed-queries-only policy in production environments.

  • Bitwise Accumulators: Added support for dynamic-length BitwiseAccums, allowing lengths to be defined using query parameters or variables. Also introduced a .clear() function for improved memory management during query execution.

  • File objects can now be created with an optional file permission parameter, allowing users to specify permissions using a Linux octal-encoded file permission code.

Data Streaming/Connector Enhancements

GraphStudio, Admin Portal, and Insights

  • Updated access control for the Query Monitoring page to use privilege-based access instead of role-based access.

    • READ_DATA privilege controls query visibility across all or specific graphs; users without access see an appropriate error message.

    • Users with DELETE_DATA privilege can abort queries running on a graph.

Fixed issues

Fixed and Improved in 4.3.0

Functionality

  • Fixed incorrect latency values in RESTPP logs when a request returned an error (CORE-5046).

  • Fixed an issue where the username was not displayed on the home page after SSO login (APPS-4376).

  • Fixed an issue where /query_status, /query_result, /showprocesslist/{graph_name}, and /showprocesslistall did not return complete results when requests were routed to different RESTPP nodes in a cluster (CORE-5200).

  • Fixed an issue where style configuration and the detail panel did not update correctly after selecting a vertex in GraphStudio Explore Graph (APPS-4369).

  • Fixed an issue where upgrade runtime logs displayed misleading completion messages before the upgrade process had fully completed (TP-8429).

  • Fixed an issue where GUI CORS settings could not be configured from the Admin Portal (APPS-3602).

  • Fixed an issue where tooltips in GraphStudio could be partially hidden when hovering near the edge of the viewport (APPS-4378).

  • Fixed an issue where log access in the Admin Portal required both APP_ACCESS_LOG and APP_ACCESS_DATA privileges instead of APP_ACCESS_LOG exclusively (APPS-3253).

  • Fixed an issue where binary files were written during segment rebuild even when the segment had already been deleted (CORE-4578).

  • Fixed an issue where repeated backups took progressively longer despite minimal data growth, caused by inefficient processing of schema changes (CORE-5000).

  • Fixed an issue where failure signal handling in engine services prevented expected core dump generation (CORE-5061).

  • Fixed an issue where partition configuration recovery could result in schema inconsistencies when config.yaml was missing but segment data existed (CORE-5322).

  • Fixed an issue where schema change validation failures provided unclear error messages during DSCDrain or DSCValidation (GLE-9913).

  • Fixed an issue where certain PRINT TO_CSV syntax patterns were not supported when printing query results (GLE-10524).

  • Fixed an issue where Kafka retention could be blocked by a remote segment associated with a deleted vertex type (CORE-5409).

  • Fixed an issue where password policies intended for native users were incorrectly enforced on LDAP proxy users (GLE-9533).

  • Added the Security.JWT.JWKS.URL configuration parameter to fetch JWT certificates using the Key ID (kid) from a JWKS URL, ensuring compliance with the JWKS standard (GLE-10289).

  • Fixed an issue where LastSuccessLogin and NextValidLogin were not updated after successful authentication of LDAP proxy users (GLE-10646).

  • Fixed an issue where Spark JDBC connections could experience unexpected socket timeouts when queryTimeout was not passed to the TigerGraph JDBC driver (TP-8385).

  • Fixed an issue where requests on port 14240 could not be routed directly to a specific RESTPP node when direct node-level access was required (TP-9166).

  • Fixed an issue where certain upgrade validation checks were performed after upgrade instead of during pre-upgrade checks (GLE-10562).

  • Fixed an issue that caused intermittent errors during legacy token validation (GLE-11683).

  • Fixed an issue where token generation could become unresponsive during schema change operations by optimizing the workflow (GLE-11699).

  • Fixed an issue where the system would throw a NullPointerException and fail to create or install a query during code validation (GLE-10502).

Improvements

  • Improved security for namespace-scoped TigerGraph Operator installations by separating required cluster roles and namespace roles (TP-7857).

  • Improved file permission handling by supporting string literals in file variable declarations used with PRINT TO_CSV (GLE-10956).

Security

  • Refined loading job summary output by replacing detailed error information with line numbers for invalid entries (TP-8628).

  • Improved configuration security by masking AWS credential values in gadmin outputs (TP-8533).

  • Third-party Vulnerabilities NOT impacting TigerGraph:

    Fixed the following security vulnerabilities: CVE-2024-31033, CVE-2024-6763, CVE-2024-8184, CVE-2024-9823, CVE-2025-11143, CVE-2025-67030, CVE-2025-67721, CVE-2025-68161, CVE-2026-1002, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-22732, CVE-2026-22735, CVE-2026-22737, CVE-2026-2332, CVE-2026-24051, CVE-2026-24281, CVE-2026-24308, CVE-2026-24734, CVE-2026-24880, CVE-2026-25679, CVE-2026-25854, CVE-2026-27139, CVE-2026-27142, CVE-2026-27145, CVE-2026-29145, CVE-2026-29146, CVE-2026-29181, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-3293, CVE-2026-32990, CVE-2026-33186, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-33870, CVE-2026-33871, CVE-2026-34268, CVE-2026-34282, CVE-2026-34478, CVE-2026-34480, CVE-2026-34483, CVE-2026-34487, CVE-2026-34500, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-39883, CVE-2026-41284, CVE-2026-41293, CVE-2026-41417, CVE-2026-42198, CVE-2026-42498, CVE-2026-42499, CVE-2026-42504, CVE-2026-42507, CVE-2026-42577, CVE-2026-42578, CVE-2026-42579, CVE-2026-42580, CVE-2026-42581, CVE-2026-42583, CVE-2026-42584, CVE-2026-42585, CVE-2026-42587, CVE-2026-42945, CVE-2026-43512, CVE-2026-43513, CVE-2026-43514, CVE-2026-43515, CVE-2026-44249, CVE-2026-45205, CVE-2026-45416, CVE-2026-45536, CVE-2026-45673, CVE-2026-45674, CVE-2026-47244, CVE-2026-47691, CVE-2026-48043, CVE-2026-50010, CVE-2026-50020, CVE-2026-50560, CVE-2026-54512, CVE-2026-54513, CVE-2026-54514, CVE-2026-54515, and CVE-2026-6860.

    Third-party Vulnerability impacting TigerGraph: None

Known Issues and Limitations

Description Found In Workaround Fixed In

If a non-procedural query has a syntax error, the GSQL interpreter ignored the invalid portion and executed the partial query before the error, without raising an error.

4.2.0

Check the full query before accepting it.

4.2.1

A NullPointerException occurs when performing a code check for queries using statements other than a = vt.* or a = {vt.*}, causing query creation to fail.

4.1.3

TBD

TBD

When pulldict fails, an empty debug log is generated, as the log level for debug is not enabled by default.

4.1.3

TBD

TBD

After upgrading, the system fails to detect to_string() in the UDF file, leading to query compilation errors. This issue occurs because the system doesn’t report parsing errors during file uploads.

4.1.3

TBD

TBD

When using set(index, value) and flip(index) with BitwiseOrAccum<1000>, the task fails due to lack of support for bit operators (&, |, ~) in bitwise accumulation.

4.1.3

TBD

TBD

Using .flip() on BitwiseAndAccum or BitwiseOrAccum inside a PRINT block may produce different results in UDF mode versus Single/Distributed mode.

4.1.3

Move the .flip() logic to the POST-ACCUM block for consistent behavior.

TBD

After a cluster expansion, the GPE service may remain in the warmup state.

4.1.1

If this happens, run gadmin restart gse -y to release the GPE.

TBD

The EXECUTE_QUERY privilege is not enforced on RESTPP endpoints. That is, users who lack EXECUTE_QUERY can still run a query via

POST /restpp/query/{graph_name}/{query_name}

4.1

Use legacy methods for access control: Define separate graphs which span the same data but have different queries and users.

TBD

If a RESTPP request is for a graph operation and thus sent to the GPE then fails inside the GPE, the RESTPP will interpret the response from the GPE as success and report SUCCEED in the audit log.

4.1

Use a /gsql endpoint instead of a /restpp endpoint.

TBD

When upgrading, possible permission error for destination folder.

3.10.1

Manually grant permission to /var/tmp

TBD

Export does not include LDAP proxy groups

3.9+

Manually recreate the proxy groups on the imported database.

Compatibility Issues

These Release Notes describe changes in this release.

For upgrade checks across versions, see the Compatibility and Migration pages.

Description Version Introduced

Many REST API endpoints were updated, including consolidation, path prefix changes, and token authentication support. See the REST API reference page.

v4.1.0

To apply a File Input Policy or File Output Policy change, now both gsql and restpp servers must be restarted: gadmin restart gsql restpp -y

v4.1.3, v4.2.0

The --incremental option for backup now performs a true incremental backup instead of a differential backup.

v4.2.0

In CDC messages, the format of tuple values has changed.

v4.2.0

SelectVertex() may not be used with a relative filepath but previously this was not enforced. It is now enforced.

v4.2.0

The 'graph' field is now included in CDC messages generated by the TigerGraph CDC service.

v3.11.0, v4.1.1

In CDC messages, the format of map values has changed.

v3.11.0, v4.1.1

A full export package now includes access policies and template queries.

v4.1.0

Users could encounter file input/output policy violations when upgrading a TigerGraph version. See Input policy backward compatibility.

v3.10.0

When a PRINT argument is an expression, the output uses the expression as the key (label) for that output value. To better support Antlr processing, PRINT now removes any spaces from that key. For example, count(DISTINCT @@ids) becomes count(DISTINCT@@ids).

v3.9.3+

Betweenness Centrality algorithm: reverse_edge_type (STRING) parameter changed to reverse_edge_type_set (SET<STRING>), to be consistent with edge_type_set and similar algorithms.

v3.9.2+

For vertices with string-type primary IDs, vertices whose ID is an empty string will now be rejected.

v3.9.2+

The default mode for the Kafka Connector changed from EOF="false" to EOF="true".

v3.9.2+

The default retention time for two monitoring services Informant.RetentionPeriodDays and TS3.RetentionPeriodDays has reduced from 30 to 7 days.

v3.9.2+

The filter for /informant/metrics/get/cpu-memory now accepts a list of ServiceDescriptors instead of a single ServiceDescriptor.

v3.9.2+

Some user-defined functions (UDFs) may no longer be accepted due to increased security screening.

  • UDFs may no longer be called to_string(). This is now a built-in GSQL function.

  • UDF names may no longer use the tg_ prefix. Any user-defined function that began with tg_ must be renamed or removed in ExprFunctions.hpp.

v3.9+

Deprecations and Removals

Description Deprecated Removed

The --meta option for backup is no longer needed because metadata is now included automatically with backup files.

3.9.2

4.2.0

Streaming connector for external Kafka (3.6 to 3.9.2 version)

3.9.3

4.2.0

The format for tuple structures in CDC messages will change in a future version. The future format is likely to be similar to the new format for maps.

4.1.1

4.2

Access Control Lists (ACLs) are no longer supported. When upgrading from 3.x to 4.x, ACL privileges will be automatically migrated to object-based privileges.

4.1.0

4.1.0

The use of plaintext tokens in authentication is deprecated. Use OIDC JWT Authentication instead.

3.10.0

TBD

Vertex-level Access Control (VLAC) and VLAC Methods are removed and are no longer available.

3.10.0

4.1.0

The command gbar is removed and is no longer available. It has been replaced by gadmin backup.

3.7

3.10

Spark Connection via JDBC Driver is now deprecated and will no longer be supported.

3.10.0

TBD

Build Graph Patterns is deprecated and will not be updated or supported and instead we are focusing on Insights as the tool of choice for building visual queries.

3.9.3

TBD

Kubernetes classic mode (non-operator) is deprecated.

3.9

TBD

The WRITE_DATA RBAC privilege is deprecated.

3.7

4.1