DPA 2026.2 release notes
Release date: June 30, 2026
Here's what's new in DPA 2026.2. You can find the applicable system requirements here.
To view release notes, system requirements, and product guide PDFs for supported versions of DPA, see DPA previous versions. To view release notes for multiple versions
New features and improvements in DPA
Support for monitoring SAP HANA database instances
SAP HANA is a high-performance, in-memory relational database management system designed for real-time analytics and transaction processing. You can use DPA to monitor the following versions of SAP HANA database instances:
- SAP HANA Platform and Express Editions, versions 2.0 and higher
- SAP HANA Cloud versions 2026.2 and higher
DPA supports monitoring both single-container and multi-container SAP HANA architectures. In either case, DPA monitors at the individual container level — one container equals one monitored database.
To monitor SAP HANA database instances, you must have one of the following license types for DPA:
- Database Self-Hosted (DBSH)
- Temporary or trial
MariaDB JDBC driver upgrade
Previous versions of DPA used the MySQL Connector/J JDBC driver to connect to MySQL and MariaDB instances. DPA 2026.2 now uses the MariaDB Connector/J 3.5.8 JDBC driver, which supports the SSL protocol. This driver is used to connect to the following types of monitored instances and repository databases:
- MySQL (self-managed, Amazon RDS for MySQL, Azure Database for MySQL, and Cloud SQL for MySQL)
- MariaDB (self-managed, Amazon RDS for MariaDB, and Azure Database for MariaDB)
- Percona
AI Query Assist support for PostgreSQL and MySQL
You can use the AI Query Assist option to send a query and associated plan to a secure enterprise LLM for optimization suggestions. This option is now available for queries running on PostgreSQL and MySQL instances, in addition to SQL Server and Oracle instances.
AI Query Assist is available with a DBSH or trial license.
Alert life cycle key generation
DPA can send alert notifications to multiple channels, including third-party notification services such as PagerDuty and ServiceNow. Each instance of a DPA alert can have multiple status levels (for example, the alert status could change from Medium to High). Some third-party notification services cannot distinguish between an existing alert whose status changed and a new instance of the alert. When a new alert is triggered, the third-party service might reopen an existing ticket instead of opening a new ticket.
To resolve this issue, DPA 2026.2 can now generate a unique life cycle key for every alert instance and include the key with the alert information sent to a third-party service. This key is created when the alert is initially triggered and remains the same as the alert status level changes. If the alert returns to the Normal level and then later the alert is triggered again, a new key is generated.
This feature is disabled by default. To enable the feature, set the advanced configuration option ALERT_KEY_LIFECYCLE_ENABLED to true.
When this feature is enabled, DPA generates a life cycle key for every instance of an alert. The key is included with the alert data sent through Platform Connect to supported third-party services.
Improvements to PostgreSQL alerts
The following PostgreSQL alerts have been updated for improved accuracy, simpler configuration, and additional options.
| Alert | Improvements |
|---|---|
| All PostgreSQL alerts that collect data from multiple databases |
|
| PostgreSQL User Role Expiry alert |
|
| PostgreSQL Long Running Query and PostgreSQL Long Running Vacuum alerts |
|
| PostgreSQL Percent Idle in Transaction Connections alert |
|
| PostgreSQL Dead Tuples alert |
|
| PostgreSQL Last Vacuum and PostgreSQL Last AutoVacuum alerts |
|
| PostgreSQL Last Analyze and PostgreSQL Last AutoAnalyze alerts |
|
General improvements
- DPA 2026.2 provides security improvements, including an upgrade to the com.fasterxml.jackson.core:jackson-core component and the Tomcat library.
Fixed CVEs
At SolarWinds, we prioritize the swift resolution of CVEs to ensure the security and integrity of our software. In this release, we have successfully addressed the following CVEs.
SolarWinds CVEs
SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2026-28322 | SolarWinds Database Performance Analyzer Stored Cross-Site Scripting Vulnerability | SolarWinds Database Performance Analyzer was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution. | 5.6 Medium |
Third-party CVEs
| CVE-ID | Vulnerability title | Description | Severity |
|---|---|---|---|
| CVE-2026-34487 | Apache Tomcat cloud membership for clustering component exposed the Kubernetes bearer token vulnerability | Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. | 7.5 High |
| CVE-2026-43515 | Apache Tomcat improper authorization vulnerability | Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 to fix the issue. | 9.1 Critical |
| CVE-2025-53864 | Connect2id Nimbus JOSE + JWT denial of service vulnerability | Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson. | 5.8 Medium |
| CVE-2025-52999 | jackson-core stack-based buffer overflow | jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources. | 7.5 High |
Fixed customer issues
| Case number | Description |
|---|---|
| 02084069 |
DPA Central navigation now reliably returns you to the correct Central dashboard when you click the Central link from a remote DPA server, without blank pages, extra logins, or redirects to the local server’s Central view. |
| 02084069 | Columns in the My DB Instances or DB Instances in Alarm tables in DPA Central no longer shrink when the page is accessed through the browser's Back button. |
| 02103320 | Opening the Tuning tab for a PostgreSQL monitored instance no longer returns an HTTP 422 error. |
| 02129165 | The DPA AWS base image has been upgraded from Amazon Linux 2 to Amazon Linux 3 to ensure continued support after Amazon Linux 2 end of life. |
| 02145768 | When the DPA database uses the Turkish_CI_AS collation, clicking the Tuning tab no longer returns an internal server error. |
| 02054275 | An inconsistency in the database schema between new installations and upgrades has been corrected. This issue prevented the configuration of Platform Connect. |
| 02083941 | The size limit on a database column no longer prevents the Top SQL Statements chart from displaying data. |
Installation or upgrade
For new installations, you can download the installer from the SolarWinds website or from the Customer Portal. For more information, see the DPA Installation and Upgrade Guide.
For upgrades, use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade. When you are ready, download the upgrade package from the SolarWinds Customer Portal.
Known issues
Custom CA certificates and mass registration of MySQL or MariaDB instances
Using mass registration to attempt to register MySQL or MariaDB instances can fail when the following conditions are met:
-
You are using a custom CA certificate.
-
The SSL property
sslMode=verify-caorsslMode=verify-fullis specified.
During mass registration, the certificate keystore URL is not injected into the JDBC connection. The JDBC driver falls back to the JVM cacerts store for trust anchors. If the custom CA certificate is not present in JVM cacerts, the connection fails with the following error:
DatabaseConnectionException: A connection to the database could not be established
This issue does not affect Azure Database for MySQL registrations (because the DigiCert CA certificate is in every JVM cacerts) or Amazon RDS for MySQL registrations (because the Amazon Root CA certificate is pre-loaded). Registrations through the registration wizard are also not affected by this issue.
Resolution or workaround: Before registering the instances, import the custom CA certificate into the JVM cacerts store:
-
If the DPA server runs Linux, run the following command:
keytool -importcert -noprompt -alias "custom-mysql-ca" -file "/path/to/ca.pem" -keystore "/opt/dpa/iwc/jre/lib/security/cacerts" -storepass changeit -
If the DPA server runs Windows, run the following command:
keytool -importcert -noprompt ^ -alias "custom-mysql-ca" ^ -file "C:\path\to\ca.pem" ^ -keystore "C:\Program Files (x86)\SolarWinds\DPA\iwc\jre\lib\security\cacerts" ^ -storepass changeit
End of life
| Version | EoL announcement | EoE effective date | EoL effective date |
|---|---|---|---|
| 2024.2 | March 10, 2026: End-of-Life (EoL) announcement – Customers on DPA version 2024.2 or earlier should begin transitioning to the latest version of DPA. | June 30, 2026: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for DPA version 2024.2 or earlier will no longer actively be supported by SolarWinds. | June 30, 2027: End-of-Life (EoL) – SolarWinds will no longer provide technical support for DPA version 2024.2. |
| 2023.4.300 | November 18, 2025: End-of-Life (EoL) announcement – Customers on DPA version 2023.4.300 or earlier should begin transitioning to the latest version of DPA. | February 18, 2026: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for DPA version 2023.4.300 or earlier will no longer actively be supported by SolarWinds. | February 18, 2027: End-of-Life (EoL) – SolarWinds will no longer provide technical support for DPA version 2023.4.300. |
See the End of Life Policy for information about SolarWinds product life cycle phases. To see EoL dates for earlier DPA versions, see DPA release history.
Legal notices
© 2026 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.