Open Source

Starting with Dask Gateway version v2026.3.0, JupyterHub access scopes support has been added to Dask-Gateway. That means hub admins can now set, via JupyterHub role-based access control (RBAC), which hub users or groups have access to Dask-Gateway.

We helped shepherd and implement a batch of accessibility improvements in myst-theme as part of the Jupyter Book project. The Jupyter Book team blogged about it here: jupyterbook.org/blog/posts/2026/accessibility-improvements Accessibility is a key part of making technology broadly impactful and useful, and it’s increasingly a requirement for the institutions we serve.

This week, another Linux kernel exploit “Dirty Frag” (CVE-2026-43284 and CVE-2026-43500) was disclosed to the general public. Unlike the recent Copy Fail Linux kernel zero-day, this set of exploits was leaked ahead of the embargo period expiring, leaving insufficient time for kernel maintainers to release a patch.

Eric Van Dusen was running a workshop titled “Teaching in the AI Classroom: Expanding Access to Interactive Computing through JupyterHub and CloudBank” at the National Artificial Intelligence Research Resource (NAIRR) Annual Meeting, showing how JupyterHub can be used to seamlessly provide access to GPU computation for teaching.

The recently disclosed CopyFail Linux kernel zero-day (CVE-2026-31431) opens up a way for code running inside a container to break out onto the underlying node. We took a close look at our hubs to confirm whether they were exposed, confirmed that our hubs are likely not at risk, and added another layer of protection just in case.

To facilitate communities using JupyterHub for a workshop, we introduced the idea of a ‘shared password’ based authentication a few years ago. This lets communities set a single global password that is handed out to all workshop attendees (instead of collecting email addresses or GitHub usernames before the workshop starts).

A small group of Jupyter community members recently met in Seattle to demo Jupyter workflows augmented with AI tools and discuss what’s next. This is a quick report-out about what stood out.

Scott Henderson noticed core dump files appearing on home directories that were taking up space when a program crashes in one of the hubs we run for the CryoCloud community. While core dump files can be useful in some circumstances, they are almost never useful on a hub.

The Berkeley Institute for Data Science (BIDS) has joined the mybinder.org federation, contributing a new node alongside 2i2c and GESIS. BIDS is the birthplace of mybinder.org, so it’s great to see them back as an active federation member.

The Jupyter Security Working Group recently held a Security Tooling Sprint. It was a timely event given the recent spate of software supply chain attacks across the tech world. The sprint covered two main areas: