Snowflake Connector for Python release notes for 2026

This article contains the release notes for the Snowflake Connector for Python, including the following when applicable:

  • Behavior changes
  • New features
  • Customer-facing bug fixes

Snowflake uses semantic versioning for Snowflake Connector for Python updates.

See Snowflake Connector for Python for documentation.

Version 4.5.0 (May 12, 2026)

New features and updates

  • Added ECDSA key support (ES256, ES384, ES512) for key-pair authentication.
  • Added HTTP 307/308 redirect status codes to the retryable set as defense-in-depth, with redirect-aware logging in both sync and async paths.
  • Consolidated keyring token cache to use a single service name with hashed account keys, reducing macOS Keychain password prompts. Legacy entries are auto-migrated on first read.
  • Added support for AWS outbound JWT token attestation for Workload Identity Federation (WIF). This can be enabled by setting the SNOWFLAKE_ENABLE_AWS_WIF_OUTBOUND_TOKEN environment variable to true. This environment variable will be removed in a future release.
  • Removed dynamic class deserialization from the OCSP response validation cache to prevent arbitrary code execution via crafted cache files. The SNOWFLAKE_ENABLE_CUSTOM_REVOCATION_ERRORS environment variable is now a no-op.
  • Updated SPCS token injection to gate on the SNOWFLAKE_RUNNING_INSIDE_SPCS environment variable, trim whitespace, and remove the configurable token path.
  • GCP WIF attestation now uses hostname metadata.google.internal instead of the IPv4 link-local address, so it works on IPv6-only GCP VMs.
  • Added validation of the account connection parameter so malformed identifiers (for example path-like values or labels outside letters, digits, _, and -) are rejected with ProgrammingError before login.
  • Added support for Azure Workload Identity Federation impersonation, allowing a managed identity to authenticate as a service principal.

Bug fixes

  • Fixed write_pandas temp stage name collisions. The old PRNG could produce identical name sequences in forked processes (for example, Notebook kernels), causing CREATE TEMPORARY STAGE to fail with “Object already exists”.
  • Fixed a security bug in Okta SAML authentication where _is_prefix_equal() compared url1’s port against itself instead of url2’s port, allowing an attacker to redirect credentials to a different port on the same hostname. Also fixed the default port fallback to use int instead of str for correct comparison when one URL omits the port.
  • Fixed executemany with paramstyle="pyformat" to correctly locate the VALUES clause using a balanced-parentheses parser instead of a greedy regex. This fixes incorrect behavior with nested function calls such as SQLAlchemy @compiles VARIANT patterns (for example, PARSE_JSON(%(col)s)) and subquery-form INSERTs.
  • Fixed a bug where write_pandas() with auto_create_table=False and overwrite=True would execute CREATE TABLE IF NOT EXISTS, which required unnecessary OWNERSHIP privilege on the table. Now only TRUNCATE TABLE is executed in this case.

Version 4.4.0 (Mar 25, 2026)

New features and updates

  • Bumped the lower boundary of the cryptography package to 46.0.5 to address CVE-2026-26007.
  • Added support for Python 3.14.
  • Removed the upper bound dependency constraint on pyOpenSSL to allow installation of pyOpenSSL 26.0.0+, which includes a fix for GHSA-vp96-hxj8-p424.

Deprecated features

  • Renamed the environment variable for skipping config file permission warnings from SF_SKIP_WARNING_FOR_READ_PERMISSIONS_ON_CONFIG_FILE to SF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION. The old variable is still supported but emits a deprecation warning.

Bug fixes

  • Fixed the Azure IMDS Metadata header to use lowercase "true" instead of "True", which caused 400 errors during Azure Workload Identity Federation authentication.
  • Fixed the default crl_download_max_size to be 20MB instead of 200MB to prevent potential out-of-memory issues.
  • Fixed a bug where Azure GET commands would incorrectly set the file status to UPLOADED instead of preserving the DOWNLOADED status during metadata retrieval.
  • Fixed the unsafe_skip_file_permissions_check flag not being respected when reading connections.toml.
  • Fixed a JSONDecodeError in result_batch._load() when fetching large result sets.

Version 4.3.0 (Feb 12, 2026)

Deprecated features

  • Deprecated support for custom revocation error classes in OCSP response cache deserialization. By default, only RevocationCheckError exceptions are deserialized from OCSP cache. Custom exception classes can be temporarily enabled by setting the SNOWFLAKE_ENABLE_CUSTOM_REVOCATION_ERRORS environment variable to true or 1, but this support will be removed in a future release.

New features and updates

  • Bumped vendored urllib3 to version 2.6.3.
  • Added force_microseconds_precision to cursor.fetch_arrow_all and cursor.fetch_pandas_all to avoid PyArrow schema inconsistencies between batches.
  • Added a warning when using HTTP protocol for OAuth URLs.
  • Updated the server_session_keep_alive parameter in SnowflakeConnection to skip checking for pending asyncronous queries, providing faster connection close times, especially when many asyncronous queries are executed.

Bug fixes

  • Fixed the string representation of INTERVAL YEAR and INTERVAL MONTH types.
  • Ensured proper list conversions; the converter now runs to_snowflake on all list items.

Version 4.2.0 (Jan 07, 2026)

New features and updates

  • Added the SnowflakeCursor.stats property to expose granular DML statistics (rows inserted, deleted, updated, and duplicates) for operations like CTAS where rowcount is insufficient.
  • Added support for injecting Snowpark Container Services (SPCS) service identifier tokens (SPCS_TOKEN) into login requests when present in SPCS containers.
  • Introduced a shared library for extended telemetry to identify and prepare testing platforms for native Rust extensions.

Bug fixes

  • None.