Release 1.12.12-release · open-metadata/OpenMetadata

🔒 Security

sudo upgraded for CVE-2026-35535 #29343: Upgraded sudo in the ingestion image to patch CVE-2026-35535.
Spring, Micrometer & OpenTelemetry CVE patches #29111: Spring 6.2.18 → 6.2.19 (CVE-2026-41850, CVE-2026-41851), Micrometer 1.14.5 → 1.15.12, and pinned OpenTelemetry to patch reported CVEs.
ws bumped for CVE-2026-48779 #29122: Updated ws to 8.21.0.
handlebars bumped for CVE-2026-55760 #29221: Updated handlebars to 4.5.2 to patch a path-traversal vulnerability.
form-data bumped #29349: Updated the form-data package to address reported vulnerabilities.
markdown-it bumped #29057: markdown-it 14.1.1 → 14.2.0.
UI dependency vulnerability fixes #29223: Addressed assorted UI vulnerabilities, including undici 6.25.0 → 6.27.0 and form-data updates.

Cap oversized dataModel column trees at index time #29212: Containers/tables with pathologically large dataModel schemas (hundreds of thousands of columns) produced multi-hundred-MB search documents that could OOM the server on read/reindex. The oversized-doc guard now also strips nested column children and derived columnNames/columnNamesFuzzy once a doc is still over the cap after lineage stripping. Top-level columns and the full schema (via the entity API) are preserved.
Column tag filtering in advanced search #28871: Added column-tag filtering to advanced search.
Defer row fetch in audit logs list query #28850: Avoids a full-row scan when listing audit logs.
AuditLogConsumer dropping events on offset gaps #29252: change_event.offset is AUTO_INCREMENT/SERIAL and only visible at commit, so under concurrent writes a lower offset can become visible after a higher one. The consumer no longer skips audit events across these offset gaps.

Render traced edges and nodes #29195: Lineage now visually renders traced edges and nodes.
Restore edges in lineage PNG export #29124: Edges are restored after canvas re-render in the lineage PNG export.
Fix selector for export lineage 5b4fe8c: Fixed the selector used for lineage export.
Correct nodeDepth for fetched nodes #27477: Updates nodeDepth on fetched nodes using the base nodeDepth (Issue #25388).

Approve/reject buttons missing after Expand All #29292: The Expand-All tree fetch omitted the reviewers field, so nested In-Review terms lost their approve/reject buttons. Reviewers are now requested so the buttons remain for nested terms.
Approval re-triggers on approved-term rename 1755135: Renaming an already-approved term now records name/parent on the change description so the approval workflow re-triggers correctly.
Keep approvals valid after move #29234: Approvals remain valid after a glossary term is moved.
Cascade glossary rename to child terms in search index #29134: Renaming a glossary now updates the denormalized glossary.name / glossary.fullyQualifiedName on every child term's search-index doc.

MCP OAuth login fails with 400 on id_token fragment #29228: Fixed /mcp/callback handling of the active-session shortcut and implicit-flow id_token returned in the URL fragment by SSO.
OIDC/SAML self-signup persists mapped email claim #29189: Self-signup now persists the mapped email claim from OIDC/SAML.

Preserve data products across domain deletes #29138: When a data product's domain was changed and the original domain was then recursively hard-deleted, the data product was incorrectly deleted via a stale domain→dataProduct relationship. The stale relationship is now removed so data products are preserved.
Delete orphaned test cases + guard test-definition deletion #29081: Orphaned test cases (whose testDefinition relationship was removed) can now be hard-deleted, and test-definition deletion is guarded against the missing relationship.

Sync IngestionPipeline scheduleInterval on app schedule changes #28702: When an external app's schedule changes (scheduled→manual or a cron edit), the backing IngestionPipeline scheduleInterval is now synced so K8s/Argo/Hybrid runners pick up the new schedule.
Skip CSV consolidation without a previous version #29088: Avoids CSV consolidation when there is no previous version to consolidate against.

Scope "between" operator fix to numeric custom properties #29334: The between operator now correctly sends the upper bound for numeric custom properties only (Issue #27482).

Snowflake: create Query entities in ACCESS_HISTORY lineage #29125: The opt-in ACCESS_HISTORY lineage path now emits a CreateQueryRequest per edge so the originating SQL surfaces as Query entities, and fixes a probe issue.
Snowflake: forward-port ACCESS_HISTORY lineage + cache fixes #29036: Forward-ports the opt-in ACCESS_HISTORY lineage path and cache fixes.
Metabase: StarRocks SQL dialect for lineage #29033: StarRocks connections now route to the StarRocks SQL dialect so StarRocks-specific syntax in Metabase native queries (e.g. to_bitmap(), bitmap_union_count()) parses correctly for lineage (Issue #28934).