1. Documentation
2. 2026.1 (Latest) 2026.0 2025.1 2025.0 2024.1 2024.0 10.3 10.2 10.1 10.0 9.10 9.9 9.8 9.7 9.6 9.5 9.4 9.3 9.2 9.1 9.0 8.2 8.1 8.0 7.6
3. Hub
4. Install
5. Docker compose
6. Upgrade
7. Patch files from 2026.0.3 to 2026.1.1

Patch files from 2026.0.3 to 2026.1.1

As part of the upgrade, apply the following changes in your .env and docker-compose.yml files:

• .env
• docker-compose.yml
• panopticon/python/requirements.txt

.env

@@ -75,7 +75,7 @@ COMPOSE_HTTP_TIMEOUT=600
@@ -75,7 +75,7 @@ COMPOSE_HTTP_TIMEOUT=600
 REGISTRY=rapidminer/

 # Version of the Init container
-INIT_VERSION=2026.0.3
+INIT_VERSION=2026.1.1

 # Enable configuring server settings for Python Scripting extension
 INIT_SHARED_CONDA_SETTINGS=true
@@ -86,7 +86,7 @@ INIT_SHARED_CONDA_SETTINGS=true
 #
 # ############################################

-PROXY_VERSION=2026.0.3
+PROXY_VERSION=2026.1.1

 # Deprecated, please use HTTP_PORT and HTTPS_PORT
 UNPRIVILEGED_PORTS=false
@@ -131,6 +131,10 @@ SCORING_AGENT_BASIC_AUTH=true
 # Change these when you want to use non-default pair to login
 SCORING_AGENT_ADMIN_USER=admin
 SCORING_AGENT_ADMIN_PASSWORD=changeit
+# Optional comma-separated allow-list for webapi CORS origins.
+# Example: https://a.example.com,https://b.example.com
+# If empty, ACCESS_CONTROL_ALLOW_ORIGIN_WEBAPI is used as default.
+ACCESS_CONTROL_ALLOW_ORIGIN_WEBAPI_LIST=
 # HTTPS settings
 ALLOW_LETSENCRYPT=true
 #CUSTOM CA file has to be existed in ssl folder as a file and need to be set here
@@ -143,17 +147,27 @@ HTTPS_CRT_PATH=/etc/nginx/ssl/certificate.crt
 HTTPS_KEY_PATH=/etc/nginx/ssl/private.key
 HTTPS_KEY_PASSWORD_FILE_PATH=/etc/nginx/ssl/password.txt
 HTTPS_DH_PATH=/etc/nginx/ssl/dhparam.pem
+#
+# SSL/TLS settings
+#
+SSL_CIPHERS=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+SSL_PROTOCOLS=TLSv1.3
+# Less secure values before 2026.1.0 are more compatible with old http clients
+# SSL_CIPHERS=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+# SSL_PROTOCOLS=TLSv1.2,TLSv1.3
+#
 ACCESS_CONTROL_ALLOW_ORIGIN_GENERAL=${PUBLIC_URL}
 ACCESS_CONTROL_ALLOW_ORIGIN_WEBAPI=
 ACCESS_CONTROL_ALLOW_ORIGIN_RTS=
 ACCESS_CONTROL_ALLOW_ORIGIN_KEYCLOAK=
 # Improved security value
-#CONTENT_SECURITY_POLICY="default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;connect-src 'self';frame-src 'self';font-src 'self';media-src 'self';object-src 'none';manifest-src 'self';worker-src blob: 'self';form-action 'self';frame-ancestors 'self';"
+CONTENT_SECURITY_POLICY="default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:;connect-src 'self';frame-src 'self';font-src 'self';media-src 'self';object-src 'none';manifest-src 'self';worker-src blob: 'self';frame-ancestors 'self';"
 # Backward compatible value
-CONTENT_SECURITY_POLICY="worker-src blob: 'self' 'unsafe-inline' 'unsafe-eval'; default-src https: data: 'self' 'unsafe-inline' 'unsafe-eval';"
+#CONTENT_SECURITY_POLICY="worker-src blob: 'self' 'unsafe-inline' 'unsafe-eval'; default-src https: data: 'self' 'unsafe-inline' 'unsafe-eval';"

 WAIT_FOR_DHPARAM=true
 DEBUG_CONF_INIT=false
+CACHE_MAX_AGE=604800 # seconds = 7 days

 # ############################################
 #
@@ -162,18 +176,18 @@ DEBUG_CONF_INIT=false
 # ############################################

 # Keycloak container version
-KEYCLOAK_VERSION=2026.0.3
+KEYCLOAK_VERSION=2026.1.1

 # Keycloak database parameters
-KEYCLOAK_POSTGRES_VERSION=2026.0.3
+KEYCLOAK_POSTGRES_VERSION=2026.1.1
 KEYCLOAK_DBSCHEMA=kcdb
 KEYCLOAK_DBUSER=kcdbuser
 KEYCLOAK_DBPASS=changeit
 KEYCLOAK_POSTGRES_INITDB_ARGS="--encoding UTF8 --locale=C /var/lib/postgresql/data"

 # Default platform admin user credentials
-KEYCLOAK_USER=admin
-KEYCLOAK_PASSWORD=changeit
+KC_BOOTSTRAP_ADMIN_USERNAME=admin
+KC_BOOTSTRAP_ADMIN_PASSWORD=changeit
 KC_PROXY_TRUSTED_ADDRESSES=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8
 KC_FEATURES=token-exchange
 KC_HOSTNAME_STRICT="false"
@@ -185,6 +199,25 @@ KC_PROXY_HEADERS=xforwarded
 KC_HTTP_ENABLED="true"
 KC_HEALTH_ENABLED="true"

+# ############################################
+#
+# Deployment init
+#
+# ############################################
+# This will set the access token expiration time in Keycloak in seconds. Default is 10800 seconds (3 hours). 
+# Please adjust this value if you want to have a different token expiration time.
+ACCESS_TOKEN_LIFESPAN=10800
+
+BRUTEFORCE_CHECK=true
+PERMANENT_LOCKOUT=false
+MAX_TEMPORARY_LOCKOUTS=0
+BRUTE_FORCE_STRATEGY=MULTIPLE
+MAX_FAILURE_WAIT_SECONDS=900
+MINIMUM_QUICK_LOGIN_WAIT_SECONDS=60
+WAIT_INCREMENT_SECONDS=60
+QUICK_LOGIN_CHECK_MILLI_SECONDS=1000
+FAILURE_FACTOR=30
+
 # ############################################
 #
 # License Proxy
@@ -194,7 +227,7 @@ KC_HEALTH_ENABLED="true"
 SKIP_LICENSE_CHECK=false
 LICENSE_PROXY_HOSTNAME=license-proxy
 LICENSE_PROXY_PROFILES_ACTIVE=default,prometheus
-LICENSE_PROXY_VERSION=2026.0.3
+LICENSE_PROXY_VERSION=2026.1.1
 # License Proxy url with protocol and port
 LICENSE_PROXY_INTERNAL_URL=http://license-proxy:9898
 # Unique machine id of the deployment
@@ -208,7 +241,7 @@ LICENSE_PROXY_MODE=on_prem
 # must be set if mode is 'on_prem'
 ALTAIR_LICENSE_PATH=
 # ##
-MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health
+MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,prometheus
 # ## settings for 'altair_one' mode ###
 # Authentication type while connecting to the license server
 # possible values are 'credentials', 'auth_code' and 'static_token'
@@ -269,9 +302,9 @@ ALM_HHWU_PROXY_PASSWORD=
 # ############################################

 AIHUB_BACKEND_PROFILES_ACTIVE=default,prometheus
-AIHUB_FRONTEND_VERSION=2026.0.3
-AIHUB_BACKEND_VERSION=2026.0.3
-AIHUB_POSTGRES_VERSION=2026.0.3
+AIHUB_FRONTEND_VERSION=2026.1.1
+AIHUB_BACKEND_VERSION=2026.1.1
+AIHUB_POSTGRES_VERSION=2026.1.1
 AIHUB_DBHOST=aihub-postgresql
 AIHUB_DBPORT=5432
 AIHUB_DBSCHEMA=aihub-db
@@ -332,7 +365,7 @@ RAPIDMINER_PYTHON_SDK_EXTENSION_DIR=/aihub/home/resources/python-sdk-extensions
 #
 # ############################################

-JOBAGENT_VERSION=2026.0.3
+JOBAGENT_VERSION=2026.1.1
 JOBAGENT_SPRING_PROFILES_ACTIVE=default,prometheus
 JOBAGENT_QUEUE_ACTIVEMQ_URI=failover:(tcp://aihub-activemq:61616)
 JOBAGENT_CONTAINER_COUNT=2
@@ -355,7 +388,7 @@ JOBAGENT_CONTAINER_PYTHON_SDK_EXTENSIONS_DIR=/home/rapidminer/resources/python-s
 #
 # ############################################

-ACTIVEMQ_VERSION=2026.0.3
+ACTIVEMQ_VERSION=2026.1.1
 BROKER_ACTIVEMQ_USERNAME=amq-user
 BROKER_ACTIVEMQ_PASSWORD="<SERVER-AMQ-PASS-PLACEHOLDER>"
 ENABLE_JMX_EXPORTER=true
@@ -366,7 +399,7 @@ ENABLE_JMX_EXPORTER=true
 #
 # ############################################

-JUPYTERHUB_VERSION=2026.0.3
+JUPYTERHUB_VERSION=2026.1.1
 JUPYTERHUB_DBHOST=jupyterhub-db
 JUPYTERHUB_DBSCHEMA=jupyterhub
 JUPYTERHUB_DBUSER=jupyterhubdbuser
@@ -390,7 +423,6 @@ JUPYTERHUB_PROXY_PORT=8000
 JUPYTERHUB_API_PORT=8001
 JUPYTERHUB_APP_PORT=8081
 # JUPYTERHUB_CUSTOM_CA_CERTS=${PWD}/ssl/deb_cacerts/
-JUPYTERHUB_DOCKER_DISABLE_NOTEBOOK_IMAGE_PULL_AT_STARTUP=False

 # ############################################
 #
@@ -398,7 +430,7 @@ JUPYTERHUB_DOCKER_DISABLE_NOTEBOOK_IMAGE_PULL_AT_STARTUP=False
 #
 # ############################################

-JUPYTERHUB_NOTEBOOK_VERSION=2026.0.3
+JUPYTERHUB_NOTEBOOK_VERSION=2026.1.1

 JUPYTERHUB_NOTEBOOK_SSO_NB_UID_KEY=X_NB_UID
 JUPYTERHUB_NOTEBOOK_SSO_NB_GID_KEY=X_NB_GID
@@ -431,7 +463,7 @@ JUPYTERHUB_NOTEBOOK_SHARED_ENV_VOLUME_NAME_DOCKERSPAWNER=coding-shared-vol
 #
 # ############################################

-PLATFORM_ADMIN_VERSION=2026.0.3
+PLATFORM_ADMIN_VERSION=2026.1.1
 PLATFORM_ADMIN_SSO_CLIENT_ID=platform-admin
 PLATFORM_ADMIN_SSO_CLIENT_SECRET=
 PLATFORM_ADMIN_DISABLE_PYTHON=false
@@ -443,7 +475,7 @@ PLATFORM_ADMIN_DISABLE_RTS=false
 #
 # ############################################

-CES_VERSION=2026.0.3
+CES_VERSION=2026.1.1
 DISABLE_DEFAULT_CHANNELS=True
 CONDA_CHANNEL_PRIORITY=strict
 HTTP_PROXY=
@@ -457,7 +489,7 @@ NO_PROXY=platform-admin
 # ############################################

 SCORING_AGENT_SPRING_PROFILES_ACTIVE=default,prometheus
-SCORING_AGENT_VERSION=2026.0.3
+SCORING_AGENT_VERSION=2026.1.1
 SCORING_AGENT_CACHE_REPOSITORY_CLEAR_ON_COLLECTION=false
 SCORING_AGENT_CACHE_REPOSITORY_MAXIMUM_SIZE=50
 # Maximum age in milliseconds of entries held in the cache
@@ -518,7 +550,7 @@ WEBAPI_REGISTRY_PASSWORD=secret
 WEBAPI_AIHUB_CONNECTION_PROTOCOL=http
 WEBAPI_AIHUB_CONNECTION_HOST=aihub-backend
 WEBAPI_AIHUB_CONNECTION_PORT=8080
-WEBAPI_AGENT_VERSION=2026.0.3
+WEBAPI_AGENT_VERSION=2026.1.1
 WEBAPI_GROUP_NAME=DEFAULT
 #WEBAPI_1_GROUP_NAME=
 #WEBAPI_2_GROUP_NAME=
@@ -541,7 +573,7 @@ SCORING_AGENT_RAPIDMINER_LOAD_USER_CERTIFICATES=true
 # ############################################

 WEBAPI_GATEWAY_PROFILES_ACTIVE=default,prometheus
-WEBAPI_GATEWAY_VERSION=2026.0.3
+WEBAPI_GATEWAY_VERSION=2026.1.1
 # The connect timeout in milliseconds
 WEBAPI_GATEWAY_SPRING_CLOUD_GATEWAY_HTTPCLIENT_CONNECT_TIMEOUT=15000
 WEBAPI_GATEWAY_SPRING_CLOUD_GATEWAY_HTTPCLIENT_RESPONSE_TIMEOUT=5m
@@ -565,10 +597,10 @@ WEBAPI_GATEWAY_LOADBALANCER_METRIC_STYLE=CPU_MEMORY
 # ############################################

 # Official grafana image from: https://hub.docker.com/r/grafana/grafana/
-OFFICIAL_GRAFANA_IMAGE=docker.io/grafana/grafana:12.3.4-ubuntu
+OFFICIAL_GRAFANA_IMAGE=docker.io/grafana/grafana:12.4.2-ubuntu
 GF_SECURITY_ANGULAR_SUPPORT_ENABLED=true
 # Image tag used by grafana-proxy and grafana-init
-GRAFANA_UTILS_VERSION=2026.0.3
+GRAFANA_UTILS_VERSION=2026.1.1
 GF_AUTH_GENERIC_OAUTH_SCOPES=email,openid
 GRAFANA_PROXY_REQUEST_TIMEOUT=60 # seconds
 GF_DATAPROXY_TIMEOUT=60 # seconds
@@ -603,7 +635,7 @@ GF_SERVER_ROOT_URL=
 #
 # ############################################

-LETSENCRYPT_VERSION=2026.0.3
+LETSENCRYPT_VERSION=2026.1.1

 # ############################################
 #
@@ -611,7 +643,7 @@ LETSENCRYPT_VERSION=2026.0.3
 #
 # ############################################

-DDM_VERSION=2026.0.3
+DDM_VERSION=2026.1.1

 # ############################################
 #
@@ -619,7 +651,7 @@ DDM_VERSION=2026.0.3
 #
 # ############################################

-LANDING_PAGE_VERSION=2026.0.3
+LANDING_PAGE_VERSION=2026.1.1
 LANDING_PAGE_SSO_CLIENT_ID=landing-page
 LANDING_PAGE_SSO_CLIENT_SECRET=
 LANDING_PAGE_DEBUG=false
@@ -655,10 +687,10 @@ DEPLOYED_PANOPTICON=false
 #
 # ############################################

-PANOPTICON_VIZAPP_VERSION=2026.0.3
-PANOPTICON_VIZAPP_PYTHON_VERSION=2026.0.3
-PANOPTICON_MONETDB_IMAGE_VERSION=2026.0.3
-PANOPTICON_RSERVE_IMAGE_VERSION=2026.0.3
+PANOPTICON_VIZAPP_VERSION=2026.1.1
+PANOPTICON_VIZAPP_PYTHON_VERSION=2026.1.1
+PANOPTICON_MONETDB_IMAGE_VERSION=2026.1.1
+PANOPTICON_RSERVE_IMAGE_VERSION=2026.1.1

 PANOPTICON_SSO_CLIENT_ID=panopticon
 PANOPTICON_SSO_CLIENT_SECRET=

docker-compose.yaml

@@ -51,6 +51,8 @@ services:
       - HTTPS_KEY_PATH=${HTTPS_KEY_PATH}
       - HTTPS_KEY_PASSWORD_FILE_PATH=${HTTPS_KEY_PASSWORD_FILE_PATH}
       - HTTPS_DH_PATH=${HTTPS_DH_PATH}
+      - SSL_CIPHERS=${SSL_CIPHERS}
+      - SSL_PROTOCOLS=${SSL_PROTOCOLS}
       - WAIT_FOR_DHPARAM=${WAIT_FOR_DHPARAM}
       - DEBUG_CONF_INIT=${DEBUG_CONF_INIT}
       - TZ=${TZ}
@@ -59,6 +61,8 @@ services:
       - ACCESS_CONTROL_ALLOW_ORIGIN_RTS=${ACCESS_CONTROL_ALLOW_ORIGIN_RTS}
       - ACCESS_CONTROL_ALLOW_ORIGIN_GENERAL=${ACCESS_CONTROL_ALLOW_ORIGIN_GENERAL}
       - CONTENT_SECURITY_POLICY=${CONTENT_SECURITY_POLICY}
+      - CACHE_MAX_AGE=${CACHE_MAX_AGE}
+      - ACCESS_CONTROL_ALLOW_ORIGIN_WEBAPI_LIST=${ACCESS_CONTROL_ALLOW_ORIGIN_WEBAPI_LIST}
     ports:
       - "0.0.0.0:${HTTP_PORT}:${HTTP_PORT}"
       - "0.0.0.0:${HTTPS_PORT}:${HTTPS_PORT}"
@@ -158,8 +162,8 @@ services:
       - KC_HOSTNAME_STRICT_BACKCHANNEL=${KC_HOSTNAME_STRICT_BACKCHANNEL}
       - KC_HOSTNAME_STRICT=${KC_HOSTNAME_STRICT}
       - KC_HOSTNAME_STRICT_HTTPS=${KC_HOSTNAME_STRICT_HTTPS}
-      - KEYCLOAK_ADMIN=${KEYCLOAK_USER}
-      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_PASSWORD}
+      - KC_BOOTSTRAP_ADMIN_USERNAME=${KC_BOOTSTRAP_ADMIN_USERNAME}
+      - KC_BOOTSTRAP_ADMIN_PASSWORD=${KC_BOOTSTRAP_ADMIN_PASSWORD}
       - KC_LOG_LEVEL=${KC_LOG_LEVEL}
       - KC_HTTP_ENABLED=${KC_HTTP_ENABLED}
       - TZ=${TZ}
@@ -201,7 +205,17 @@ services:
     environment:
       - CUSTOM_CA_CERTS_FILE=${CUSTOM_CA_CERTS_FILE}
       - DEBUG=false
+      - ACCESS_TOKEN_LIFESPAN=${ACCESS_TOKEN_LIFESPAN}
       - SSO_INTERNAL_URL=${KEYCLOAK_BACKEND}
+      - BRUTEFORCE_CHECK=${BRUTEFORCE_CHECK}
+      - PERMANENT_LOCKOUT=${PERMANENT_LOCKOUT}
+      - MAX_TEMPORARY_LOCKOUTS=${MAX_TEMPORARY_LOCKOUTS}
+      - BRUTE_FORCE_STRATEGY=${BRUTE_FORCE_STRATEGY}
+      - MAX_FAILURE_WAIT_SECONDS=${MAX_FAILURE_WAIT_SECONDS}
+      - MINIMUM_QUICK_LOGIN_WAIT_SECONDS=${MINIMUM_QUICK_LOGIN_WAIT_SECONDS}
+      - WAIT_INCREMENT_SECONDS=${WAIT_INCREMENT_SECONDS}
+      - QUICK_LOGIN_CHECK_MILLI_SECONDS=${QUICK_LOGIN_CHECK_MILLI_SECONDS}
+      - FAILURE_FACTOR=${FAILURE_FACTOR}
       - TZ=${TZ}
     volumes:
       - ./ssl:/tmp/ssl
@@ -907,7 +921,6 @@ services:
       - JUPYTERHUB_API_PORT=${JUPYTERHUB_API_PORT}
       - JUPYTERHUB_APP_PORT=${JUPYTERHUB_APP_PORT}
       # - JUPYTERHUB_CUSTOM_CA_CERTS=${JUPYTERHUB_CUSTOM_CA_CERTS}
-      - JUPYTERHUB_DOCKER_DISABLE_NOTEBOOK_IMAGE_PULL_AT_STARTUP=${JUPYTERHUB_DOCKER_DISABLE_NOTEBOOK_IMAGE_PULL_AT_STARTUP}
       - SSO_USERNAME_KEY=preferred_username
       - SSO_RESOURCE_ACCESS_KEY=resource_access
       - JUPYTERHUB_DEFAULT_ENV_NAME=aihub-${JUPYTERHUB_VERSION}-python

panopticon/python/requirements.txt

@@ -7,4 +7,5 @@ pyarrow==19.0.1
 python-string-utils==1.0.0
 requests==2.32.3
 beautifulsoup4==4.13.1
-lxml==5.3.0
+lxml==5.3.0
+serpent==1.41