Apache Thrift 0.23.0 was released on April 27, 2026 and fixes 6 High-severity CVEs (CVE-2026-41636, CVE-2026-41605, CVE-2026-41604, CVE-2026-41603, CVE-2026-41602, CVE-2025-48431). All prior versions are affected.
databricks-sql-connector 4.2.6 currently requires thrift >=0.22.0, <0.23.0, which prevents downstream consumers from picking up the security fix. The thrift 0.23.0 Python library has no breaking API changes -- it adds security hardening (recursion depth limits, payload size limits) and drops EOL Python versions.
Requests:
- Short-term: Widen the pin in the current codebase to
thrift >=0.22.0, <0.24.0 to allow 0.23.0
- Release: Publish a new version (4.2.7 or 4.3.0) to PyPI so downstream consumers can resolve the CVEs
Many enterprise users are blocked on security scan SLAs and cannot remediate until this is unblocked. Thrift 0.23.0 is also not yet on PyPI, but once it is, having the pin already widened would unblock everyone immediately.
Related: #695, PR #733
Apache Thrift 0.23.0 was released on April 27, 2026 and fixes 6 High-severity CVEs (CVE-2026-41636, CVE-2026-41605, CVE-2026-41604, CVE-2026-41603, CVE-2026-41602, CVE-2025-48431). All prior versions are affected.
databricks-sql-connector 4.2.6currently requiresthrift >=0.22.0, <0.23.0, which prevents downstream consumers from picking up the security fix. The thrift 0.23.0 Python library has no breaking API changes -- it adds security hardening (recursion depth limits, payload size limits) and drops EOL Python versions.Requests:
thrift >=0.22.0, <0.24.0to allow 0.23.0Many enterprise users are blocked on security scan SLAs and cannot remediate until this is unblocked. Thrift 0.23.0 is also not yet on PyPI, but once it is, having the pin already widened would unblock everyone immediately.
Related: #695, PR #733