PostgreSQL JDBC Driver 42.7.12 Released

Notable Changes

Notable changes

fix: Enforce channel binding without bumping scram-client (3.2) Under channelBinding=require, the driver silently downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain SCRAM-SHA-256 (without it) when the server presented a certificate whose signature algorithm has no tls-server-end-point channel-binding hash (e.g. Ed25519, Ed448, or post-quantum algorithms). An attacker who can intercept the TLS connection could exploit this to strip channel-binding protection. The fix enforces channel binding in the driver’s own code: it now fails the connection when no binding data can be extracted, and verifies the negotiated mechanism uses channel binding (-PLUS) when require is set. Only connections that set channelBinding=require are affected. The default prefer policy and releases before 42.7.4 (which introduced channel-binding support) are unaffected. See the Security Advisory for more detail. The following CVE-2026-54291 has been issued.