ORDS Changelog

Various Security bugs.

APEXLang support

• APEXLang Support
  • ORDS 26.1.1 adds support for Open Application Specification Language (APEXlang), Oracle's new declarative language for APEX applications. APEXlang provides a human-readable, AI-friendly representation of APEX applications, enabling agents such as Claude and Codex to generate, modify, and review them directly. ORDS 26.1.1 is required for APEXlang support.

• Oracle Backend for Firebase (Fusabase)
  • Oracle Backend for Firebase (Fusabase), a Backend-as-a-Service-style toolkit for building mobile and web apps on Oracle AI Database. Fusabase provides Authentication, Database, File Storage, declarative security rules, AI vector search, and an attestation-based App Trust layer.
  • Developers integrate through Firebase-style SDKs for iOS, Android, JavaScript, and Flutter, with a Fusabase CLI for project setup, configuration, and scripted workflows. The bundled Console handles app registration, user management, App Trust providers, security rule editing, data browsing, Storage setup, vector columns, authorized domains, and project management. Oracle Backend for Firebase runs everywhere ORDS runs.
• Fusabase quickstart - build your first app!

• VecDB developer REST APIS added. Requires Oracle AI Database 26ai (23.26.1).
  • Execute vector similarity searches
  • List, create, describe, delete, and update vector tables
  • Generate code samples (Python and cURL) for batch loading data
  • Full lifecycle vector index management
  • CRUD operations for vectors in vector tables
  • Manage transformer models (ONNX)
• ORDS now supports loading new database pools at runtime without a restart
• ORDS AutoREST tables and views with vector columns now support vector search via POST /vectorSearch
• ORDS Export APIs now include DROP statements to remove modules, privileges, and roles that have been deleted in the source environment, ensuring they are also removed from the target environment - enabling better CI/CD
• New MongoDB API configuration setting: mongo.legacyUuidRepresentation
• OpenTelemetry metrics
  • ORDS now batches API response times to the OCI Metrics service, reducing overall metrics volume
  • OpenTelemetry support for ORDS metrics now includes additional spans and finer-grained breakdowns of API response times, including:
    • get-services: get service definitions
    • get-metadata: get metadata
    • schema-check: schema check
    • sql-exec: execute SQL script
    • gen-result: generate result

• SQL Developer Web
  • New Vector database development interface, manage transformer models, create vector tables, and perform vector searches. Requires Oracle AI Database 26ai (23.26.1)
  • The About window now reports both the ORDS software version and the ORDS database repository version, and displays a footer warning if they do not match
  • In Data Loader, for XML/JSON sources, you can now select a specific key to upload only that content
  • Improved accessibility and usability
  • SQL Worksheets now support running queries that return duplicate column names. Also applies to REST Enable SQL Service

• Better memory management for internal caches
• High memory usage in SQL Developer Web for the SQL formatter endpoint
• ORDS upgrade using the --bequeath-connect option fails on Oracle Database 19c
• Install/uninstall using TNS fails when the specified TNS folder does not exist; error: "cannot invoke 'java.nio.file.path.getfilesystem()' because 'path' is null"
• 404 due to a route-matching conflict between specific and parameterized- ORDS templates with a shared prefix
• SQL Developer Web SQL Worksheet showed the wrong arguments for a procedure in the navigator; the corresponding DB API endpoint was also wrong: _/db-api/stable/database/objects/arguments
• In SQL Developer Web, NLS date and time format session parameters were not honored when running queries after ALTER SESSION SET NLS_....
• Alias in paths file not displayed at ORDS startup with mapped pools

• The ords-metrics utility has been updated to include new JMX configuration options, enhanced metric dimensions, and configuration with the OCI Logging Service.
• Data Pump APIs now supports keep_master parameter for the db-api/database/datapump/import and db-api/database/datapump/export endpoints.

General

• 38740206 REST handlers resolved to incorrect endpoint within the same database
• 26168830 AutoREST-enabled PL/SQL procedures with an out parameter of BOOLEAN datatype failing with 500 Server Error Response when POST requests were issued
• 37979736 PL/SQL Gateway proxy user unable to connect to target schema failing with 571 Database Connection Error; error messages will no longer include pool-specific and target schema details
• 38406575 Failed Basic Dynamic Authentication attempts in Direct PL/SQL Gateway mode resulted in multiple entries in DB UNIFIED_AUDIT_TRAIL table logs; resulting in some locked out users
• 38389389 ORDS installer displays "Cannot drop ORDS_METADATA.ORDS_HTTP: ORA-01031: insufficient privileges when upgrading ORDS" despite successful ORDS upgrade
• 38139174 Execution of the ORDS_EXPORT.EXPORT_SCHEMA()failed to include the p_mle_env_name parameter in the outputExecution of a SELECT statement on a table that contains SDO_GEOMETRY data returns an invalid JSON payload.

SQL Developer Web

• 38498494 ORDS AutoREST-Enabled BATCHLOAD endpoint fails on Windows
• 38500287 SQL Developer Web displaying incorrect Command Prompt (Windows) BATCHLOAD cURL command example for Auto-REST enabled endpoints
• 38448663 "Get Bearer Token" menu option missing from a user-created ORDS OAuth2.0 Client Credential OAuth Client card
• 38423618 Share Query Results URL failed to include recently added table data
• 38434677 Share Query Results URL for larger result displaying only 500 rows38570906 "Create MLE environment" slider rendering incorrectly when viewed in Chrome and Firefox browser
• 38448663 The "Get New Token" menu option of an ORDS OAuth2.0 Client Credentials client missing
• 38485320 Data Load operation in SQL Worksheet fails intermittently with ORA-00904 error message
• 38244663 Customer experienced high page load times for the Data Studio Feed Data Details page

• 38540644 - REST Services with high identifier values, greater than two billion, failing with 404 caused by ORA-17026

Database API (DB-API)

• The DB-API adds support for Resumable (Sessionless) transactions using a global transaction ID (GTRID), available in Oracle Database 23ai (version 23.6 and later).
• Added PLSQL API for deleting REST TEMPLATES and REST HANDLERS, ORDS.DELETE_TEMPLATE and ORDS.DELETE_HANDLER.

SQL Developer Web

• Improved Data Studio impact/lineage diagram layout.
• SQL history stored in the database can now be deleted.

General

• 38319349 - ORDS central config OAuth client credentials "Cannot call getSecret() on a plain text entry."
• 38301996 - Upgrade fails with "ORA-01404: alter column will make an index too large".
• 38209560 - Basic auth fails when pool defined using OCI Database Tools service connection OCID.
• 38174988 - Upgrade fails for pools configured using OCI Database Tools service connection OCID.
• 38176430 - Generic ORDS installer should support BaaS install.
• 38154462 - ORDS_ADMIN.UNPROVISON_ROLESnot revoking admin_role.
• 38091467 - error.responseFormat setting not observed, returns HTML vs JSON.
• 38028986 - Overloaded procedures should not be included in Open API catalog for AutoREST enabled package.
• 38194431 - ORDS_EXPORT_ADMIN.EXPORT_MODULE parameter p_runnable_as_admin now defaults to true.
• 37984738 - ORDS_EXPORT.EXPORT_SCHEMA API now compatible with ords_export_admin.export_schema.
• 37940424 - Incorrectly detecting APEX is not available.
• 37926558 - REST API performance issue when APEX is not installed.
• 37925590 - Support empty role claim in RBAC JWT profile; empty strings " " in addition to an empty stringArray[].
• 38069234 - OpenAPI catalog should be available for every module/service via http://.../ords/schema/open-api-catalog/endpoint/openapi.json.3
• 7248527 - Invalid use of CORS preflight on an access token endpoint attempts were not being logged in standard out.
• 36587551 - Access a protected endpoint recieves a 500 Error Response Code when privilege name includes certain special characters.

Database API

• 38341634 - Renamed the following apex/applications/{application_id}/ DB-API endpoint parameters: p_with_audit_info, p_with_pkg_app_mapping.
• 38247556 - RDF graph SPARQL endpoint returns invalid JSON for query results that include null bindings; extra commas added in result rows that have null bindings.
• 38073711 - RDF graph SPARQL endpoint improperly escapes single quotes in JSON query result format.
• 37050559 - Transactional event queues /topics request includes HTTP response headers in response body.

SQL Developer Web

• 38108007 - MLE - Create Environment, scroll bar issues.
• 38091489 - Overview help button is not working.
• 38068304 - OAuth edit client privilege tab - the add, remove, ...buttons are fixed, and not sticky - disappear when scrolling down the priv list.
• 37782248 - REST privileges do not support privilege names with leading periods; but PL/SQL API allows this.
• 37534722 - CREATE_JWT_PROFILE(); skew and age parameters value were defaulting to of 0 instead of null.
• 37330992 - SQL syntax error not reported in editor; not detecting un-paired double quotes.
• 37213663 - MLE-JavaScript missing context menu when right clicking on call spec or environment.
• 37075579 - Unable to undo SQL history recall from worksheet.
• 36842653 - Malformed CSV export when exporting table data, that contains JSON columns, to a CSV file.
• 36793186 - Worksheet- run statement runs entire script when cursor is positioned on an info command.
• 35812641 - AWR - error on generate report doesn't provide details.
• 35201835 - Numbers rounding in grid and script output.
• 34093887 - Run statement and (Ctrl/Cmd + Enter) not working when two queries are there and the second query is not ended with a ';'.
• 29840478 - Show grammatical error for a correct SQL.
• 29263239 - Alter log report filter using timestamp equals/not equals does not work.
• 38259179 - Data Studio selected job shows lineage and impact show every job vs selected.
• 38241893 - Data Studio should return 503/service unavailable during upgrade instead of 404.
• 37771334 - Data Studio lineage panel on entity details slider comes up blank.
• 37288407 - Data Studio table analysis reports not available for tables not in current schema.

REST Driver

• 38239802 - JDBC REST logins incorrectly show JSON web token; payload portion empty in ORDS logs.

PL/SQL Gateway

• 38189487 - 500 internal server error while downloading files larger than 2GB.

MongoAPI for Oracle

38175460 - Default idle timeout for MongoDB API connections should be 0.

GraphQL

• 38073632 - GraphiQL UI accessible from SQL Developer Web even when GraalVM/JS not available.
• 37467070 - Cannot alias a join.

Docs

• 33067098 - Add examples for setting duser.language and duser.region Java Environment Variables for Standalone and Tomcat deployments.
• 38097415 - Missing docs for Data Pump import page (offline).

• 38290872 - ADP$service.dbms_cloud_ingest_livefeed is in invalid state after ADP patch
• 38249797 - Workload capture/replay - UI allows to schedule an auto capture within the first 6hrs
• 38268031 - ORDS upgrade from 24.1 to 25.2 throws error ora-01404: alter column will make an index too large

SQL Developer Web

• 38167256 - Workload capture/replay - hour configured in a scheduled job is incorrect
• 38167229 - Workload capture/replay - terminated job doesn't show correct status in the card job
• 38161703 - Creating dbms_scheduler jobs from SQL Developer Web does not honor the timezone settings
• 36675397 - Added Spatial Studio to Database Actions

• 38185098 JDBC REST Connections fail with invalid url changes

ORDS

• Introduced a new ORDS_PAR.PAR_EXPIRATION_BY_ALIAS(); function which retrieves a PAR’s remaining time till expiration (in seconds), by passing the PAR alias as a parameter.
• Improved MLE/JS error stack messages. A new “MLE” exception prefix has been added for improved logging. New prefix also viewable when the ORDS printDebugToScreen configuration setting has been set to TRUE. Stack traces are now available for MLE/JS resource errors.
• The ORDS REST-Enabled SQL Service Response Specification for Content-Type: application/json requests adds a new responseFormat.numberAsString property for specifying whether numeric values should be returned as strings (to retain precision and scale).
• The /apex/applications/{application_id} DB-API endpoint introduces two new parameters:
  • withRuntimeInstances
  • with_audit_Info
• Customer-managed ORDS deployments can now use Database Tools in OCI (managed connections service) Instance Principal and OCI Profile credentials when selecting a db.connectionType. The default remains basic (i.e. ORDS_PUBLIC_USER).

SQL Developer Web

• The REST Workshop now supports ORDS Pre-Authenticated Requests (PARs):
  • PAR dashboard accessible by navigating to Security > Pre-Authenticated Requests. + Resource
  • Resource Handlers now feature a new Pre-Authenticated Request context menu option, with Create and Details actions.

ORDS CLI

• New ords config --db-pool [pool name] verify command. When executed, will respond with a message stating whether the pool is valid or not. And if ORDS is installed in the database, will return the ORDS (metadata) version number.
• Users can now optionally configure JWT Profiles at the database pool level, with the security.jwt.profile.mode command. Schema level remains default, however pool level configuration supports Roles-Based and Claims-Based Access Control methods as well.

ORDS

• 37721769 ORDS OAuth2 Client Credential grant types failed with a 401 Unauthorized Status Code when a user requests a Privilege-protected resource. Privileges should be ignored for 2-Legged Flows (Client Credentials) was . should ignore assigned privileges for 2 legged flows, as only ORDS Roles assigned to the the clients are applicable.
• 37823479 P_ROLE_CLAIM_NAME validation for Roles-Based Access Control JWT Profiles. Stricter validation rules are enforced for JSON Pointers (e.g. leading “/”).

SQL Developer Web

• 37782162 Client Secret modal incorrectly appears after creation of an ORDS OAuth2.0 Implicit Grant Type client.
• 37477571 SQL Worksheet keyboard shortcuts have been corrected to align with those present in the Monco Editor (i.e. VS Code).
• 37969152 BLOB files corrupted after downloading the results from the SQL Worksheet (and updating with the correct file extension).
• 37809616 Users received a “Data Log Report Error” when clicking the Next button in the Data Load or Data Link tab of a Data Studio Data Marketplace listing.
• 34497498 Refreshing the Data Studio Data Load UI during a local file data load kills the process and results in an incomplete data load.
• 34497363 Refreshing the Data Studio Data Load UI during a Cloud Store data load kills the process and results in a total failure.
• 34015805 Live Feed run details section in the Data Load UI failed to display the execution details when files are processed in chunks.

ORDS

• ORDS_EXPORT_ADMIN PL/SQL Package. Users with the ORDS_ADMINISTRATOR_ROLE can now export REST-enabled objects from another REST-enabled schema.
• ORDS JWT Profiles now support claims-based and roles-based access control.

SQL Developer Web

• REST Workshop Security and OAUTH2 UI now defaults to ORDS_SECURITY. Client Secrets are now only visible once at client creation time. Users can migrate their ORDS_OAUTH clients to the new ORDS_SECURITY package as well as rotate client secrets.
• Dark Mode is now available in SQL Developer Web.

Data Studio

• The Autonomous Serverless Federated Database Catalog is now available.
• AI Table Assistant improvements such as:
  • editing and auto-saving of recipes
  • showing new columns in italics
• Using the existing SMTP, Livefeeds now can send an email when it runs and:
  • loads rows into your table
  • rejects rows under certain conditions (e.g., loading the value “BLUE” into a NUMBER(10) column)
  • throws an error (i.e., for instance, your files were deleted from a bucket, or your credentials for that bucket have been dropped)