2026 Alation Backend Releases

RELEASE 2026.2.1.0

Released February 25, 2026

Note

This release is for Alation Cloud Service instances.

In this release:

• Deprecation Notice: User V0 Tokens

• New Features:

  • Ability to Organize Columns on the Schema and Table Catalog Pages

  • Data Quality Data in Alation Analytics

  • `Support for External Authenticators for OAuth 2.0 Authentication Flows`_

  • Per-Object Parameter Defaults

• `Feature Announcement: Alation Zero Data Framework Coming Soon`_

• Improvements

• Bug Fixes

Deprecation Notice: User V0 Tokens

Starting with the 2026.2.1.0 release, support for User V0 tokens is deprecated.

This deprecation has been previously communicated through:

• Community announcements (requires a login)

• In-product notification banners. The banners have been removed in this release.

What deprecation means:

• Existing User V0 tokens will continue to function during the deprecation period.

• Customers are strongly encouraged to migrate to User V1 tokens to ensure continued support and compatibility.

Recommended Actions

• Update integrations and automation workflows to use User V1 tokens.

• Avoid creating new User V0 tokens. (AL-208247)

New Features

Ability to Organize Columns on the Schema and Table Catalog Pages

Users can now customize the columns displayed in the tables that list child objects on schema and table catalog pages. The feature is currently behind the feature flag alation.feature_flags.DEV_enable_column_customization_in_rdbms_object_page.

All users with access to the page can organize columns in the table.

Upon updating the table view, users with admin-level roles can choose to save this table view:

• For all table pages in the current schema.

• For the current page only, visible to everyone.

Non-admin users will have their personal view settings auto-saved. These personal view settings will override admin settings if present. (AL-222060)

Data Quality Data in Alation Analytics

The following new tables in Alation Analytics track data from Data Quality features:

• alation_dq_monitors: Stores monitor data

• alation_dq_checks: Stores checks in monitors and their configurations

• alation_dq_anomalies: Stores anomalies in monitors and their configurations

• alation_dq_check_results: Stores check results during monitor runs

• alation_dq_anomaly_results: Stores anomaly results during monitor runs

• alation_dq_checks_version_history: Stores historical check results for the past year.

The ETL for these tables runs only if the Data Quality feature is enabled. (AL-199700)

Support for External Authenticators for the OAuth 2.0 Authentication Flow

Alation now supports managing OAuth 2.0 client applications directly through an organization’s Identity Provider (IdP), such as Microsoft Entra ID (Azure AD) or any JWT-based IdP. Enterprises can now centrally govern OAuth client IDs, credentials, and access policies using existing Identity and Access Management controls without creating or storing OAuth secrets in Alation:

• OAuth 2.0 client applications can now be fully managed in your IdP

• Alation no longer issues or stores OAuth client secrets or certificates

• Token validation is performed using the IdP’s JWKS endpoint

• Admins map IdP-managed OAuth clients to Alation roles for authorization

Previously, OAuth clients had to be registered inside Alation, requiring credentials to be generated and maintained locally. This limited enterprise IAM teams from enforcing standard security practices such as centralized rotation, Conditional Access, auditing, and lifecycle management. With IdP-managed OAuth clients, Alation aligns with modern enterprise security and compliance models. (AL-203212)

Per-Object Parameter Defaults

The Admin Settings > Feature Configuration page now has new feature parameters (toggles) to control global defaults for per-object parameters:

• Default Enable Compose Functionality: Controls whether the Compose functionality is enabled by default when creating new data sources.

• Default Mark Attributes as Sensitive: Controls whether new attributes (columns) are marked as sensitive by default. When enabled, newly discovered attributes will automatically be flagged as containing sensitive data.

• Default Maximum Rows to Scan: Sets the default maximum number of rows to scan during profiling for newly created schemas and tables. This controls how many rows the profiler will examine to generate statistics and samples.

• Default Maximum Sample Rows to Store: Sets the default maximum number of sample rows to store from profiling for newly created schemas and tables. These sample rows are used to provide data previews and examples in the catalog.

• Default Profiling Sampling Enabled: Controls whether profiling sampling is enabled by default when creating new schemas and tables.

• Default Skip View Profiling: Controls whether view profiling is skipped by default when creating new schemas.

• Display Table Names in BI Datasource Fields: When enabled, a new column will appear in BI datasource field tables to show the source table names for each field.

Admins can now edit defaults for per-object parameters on the data source level. These settings can be accessed via the Per-Object Parameters tab on the data source settings page. The settings will only affect newly ingested objects and will not override or cascade down to previously set per-object parameters on existing schemas, tables, or columns. These settings are only available in the New User Experience. The following per-object parameters can be set on the data source level:

• Browsable: Whether objects in this data source will be viewable and searchable in the UI by default

• Sample: Whether the objects in this data source will be sampled and profiled by default

• Skip Views: Whether to skip views when profiling

• Sensitive: Whether to mark objects in this data source sensitive by default

• Max Rows To Scan: Number of rows to profile

• Max Rows To Store: Number of rows to store from profiling

The following settings are adjustable via the Per-Object Parameters tab of the data source settings page in the Per-Object Parameters table:

• Schema sensitivity: whether tables and attributes under the schema will be marked as sensitive

• Schema sampling query: the default query that will be used for sampling and profiling

• Table sensitivity: whether columns under the table will be marked as sensitive

(AL-219591)

Improvements

• AL-227012: A new feature flag to enable Agent Studio has been added to the Feature Configuration admin page, accessible only by users with the Server Admin role.

• AL-225786: Multiple security enhancements for the Authentication Service:

  • Base Docker Image: Updated to 2.3.0.

  • AWS SDK: Upgraded to 2.35.7.

  • Log4j: Upgraded to 2.25.3.

  • gRPC: Upgraded to 1.75.0.

  • Lombok: Upgraded to 1.18.34.

  • Multiple relevant internal libraries updated to newer, more secure versions.

  • Added rules to enforce the use of these safe versions, preventing older dependency versions from being introduced.

• AL-222819: Improved the display of error messages in Compose execution results. Multi-line error messages now properly preserve line breaks and formatting, making database errors easier to read and troubleshoot. Long error messages will wrap appropriately without truncation, providing better visibility into query execution issues.

• AL-222636: Fixed an issue where OAuth/MSAL email authentication could fail when retrieving cached tokens from Redis. Users configured with Microsoft 365 OAuth for email notifications may have experienced intermittent authentication failures when the system attempted to reuse cached OAuth tokens. Users with Microsoft 365 OAuth email configuration should now see reliable email delivery without token retrieval errors. This fix is applied automatically with no configuration changes or migration steps needed.

• AL-194932: Previously, when the skip views option was enabled for a schema in the Per-Object Parameters tab, then sampling would be skipped for all views under a particular schema. This led to already sampled data for the schema not getting updated even if the Run Sample button was clicked. As a solution, we now disable the Run Sample button on the Sampling tab for any table or view if the skip views option is enabled. Also, a tooltip was added with information on why the Run Sample button is disabled.

Bug Fixes

• AL-224236: Added explicit, application-level timeouts for calls to Alation’s catalog service. This change mitigates critical failure modes during unforeseen service disruptions, such as 504 responses from the web server, web server startup failures, or hanging Celery tasks that can cause queue backlogs.

• AL-223677: The Metrics Celery worker has been updated to read metrics from Redis in batches. This prevents CPU exhaustion in the shared Redis cluster, mitigating the potential for Alation Cloud Service tenant downtime.

• AL-215015: Addressed performance issues when loading Object Set fields with a large number of items (more than 50), improving load times for document catalog pages. The optimization involves preloading the necessary metadata for objects in the Object Set, which reduces the number of database queries and lookups required during serialization, resulting in faster response times for the internal API.

• AL-191966: Resolved a stored Cross-Site Scripting (XSS) vulnerability related to uploaded media files. This issue could potentially allow unauthorized JavaScript code execution through specially crafted SVG images, even with existing upload filters in place. The system now strictly blocks JavaScript execution within uploaded media files (including SVG files used for homepage customization) when users access them directly through media server URLs. The implementation of a stricter Content Security Policy (CSP) prevents attackers from exploiting malicious embedded scripts to perform unauthorized actions.

RELEASE 2026.2.0.0

Released February 17, 2026

Note

This release is for Alation Cloud Service instances.

Enhancements

• AL-209626: Improved the Alation Analytics ETL performance for incremental data extraction:

  • Enhanced the incremental ETL extraction logic to use hour-level precision for the extraction start time. Previously, multiple ETL runs on the same day would redundantly reprocess data from midnight. Now, each run starts from the hour of the last processed timestamp, eliminating duplicate processing and improving overall ETL performance.

  • Impact:

    • Faster ETL run times when multiple extractions occur within the same day

    • Reduced compute resource usage

    • No action is required: this improvement is applied automatically

• AL-223552: When the Lexicon flag is disabled, the Lexicon feature is fully hidden and cannot be accessed or run from the UI or settings.

Bug Fixes

• AL-213747: All catalog objects now display up to 100 tags in the UI, addressing user concerns about mismatch on tag visibility between the UI and Alation Analytics. Previously, the catalog page UI was creating some confusion on the number of tags visible under the tags section which was caused by previous truncation at 20 tags. With this change, users can now see up to 100 tags without truncation and get the exact count of tags applied to an object. For objects with more than 100 tags, the UI will still truncate the display but this is expected to cover most use cases effectively.

• AL-207603: Fixed slow loading times for Published Queries and Query Run History on schema and table catalog pages. Previously, the loading of Published Queries or Query Run History could be slow, especially for queries with multiple collaborators. Now, these sections load significantly faster due to optimized data retrieval.

• AL-222072: Fixed an MDE custom field extraction failure caused by duplicate object field data being passed to the internal update_custom_fields_in_bulk interface from the custom field link downstream job.

• AL-220064: The Run Sample button on table profiling pages is now restricted based on user role.

  • Users with Viewer or Explorer roles can no longer see or access the Run Sample button and connection controls.

  • Users with Composer, Steward, Source Admin, Catalog Admin, or Server Admin roles retain full access to the sampling functionality.

• AL-208513: Fixed pagination with count mismatch issues on tagged items listing on the Tag page. This fix addresses inconsistencies observed in Neo and Classic User Experiences. The issue was primarily due to inflated counts from deleted items and pagination logic errors. While the deleted items don’t show up in the listing, they were counted towards the total, leading to a mismatch between the displayed count and actual items. The fix involved refining the pagination logic to accurately reflect only non-deleted items, ensuring consistency across different UI experiences. Note that during page load, there might still be minor discrepancies in counts due to asynchronous data fetching, but these will resolve once loading is complete.

• AL-215849: Fixed the RST_STREAM error encountered during the table profiling/sampling job.

• AL-165519: When scheduled queries fail to run because query scheduling is disabled or not supported by the data source, users will now see clear error messages in the query execution history instead of the queries incorrectly showing as running.

• AL-222332: Alation has been only allowing http and https schemes as the redirect URI for the OAuth application configuration. Now, this can be configured to support custom schemes such as cursor. Customers can file a support ticket to add a custom scheme as needed.

• AL-222065: Fixed a font rendering inconsistency in the Compose Sapphire theme when the Public Sans font couldn’t be loaded and the interface would fall back to the browser’s default font. Users who previously experienced a fallback to system default fonts (like Times New Roman) when Public Sans was unavailable now see appropriate sans-serif fonts. This change ensures users see appropriate sans-serif fonts that maintain Alation’s visual design standards.

• AL-217891: Fixed an issue where the lineage service wasn’t starting when a custom password was set by the customer.

• AL-200379: Fixed an issue when users select to run queries and ignore errors in Compose.

PATCH RELEASE 2026.1.0.1

build 22.0.0.129077

Released February 13, 2026

Note

This patch release is available for Alation Cloud Service instances on the cloud-native architecture. It doesn’t apply to customer-managed (on-premise) deployments.

• Fixed an issue where hanging calls to the catalog service caused critical service disruptions. These disruptions included 504 errors, web server startup failures, and Celery task backlogs. The patch adds explicit, application-level timeouts for all catalog service requests so the system remains responsive even during unforeseen service interruptions. (AL-224236)

• Fixed an issue where high CPU usage in shared Redis (ElastiCache) clusters could lead to application blocking and downtime. Updated the metrics Celery worker to read data from Redis in batches. This change significantly reduces the processing load and improves the stability of the caching layer. (AL-223677)

RELEASE 2026.1.0.0

build 22.0.0.129077

Released February 5, 2026

Note

This release is available for all Alation instance types: customer-managed (on-premise) and Alation Cloud Service.

In this release:

• Search Filter Customization

• URI Override for Data Product Chat

• Data Quality Standards

• FinOps Reporting

• Alamigo in Compose

• Support for Custom Content Security Policy (CSP)

• Integration API Debouncing

• Configurable Rich Text Field Truncation for Alation Analytics

• Enhancements

• Bug Fixes

New Features

Search Filter Customization

Alation Cloud Service, Customer Managed

With Search Filter Customization, admins can define to show only the relevant set of filters on the left side filter panel on the Search page to different groups of users, reducing the time to navigate through a large set of filters.

In Admin Settings > Customize Search Filters, Server and Catalog Admins can now create, update, duplicate, and delete custom search filters and scope them to specific user groups, enabling more relevant and targeted filtering experiences across teams.

To assign groups, admins assign Applicable Groups to each custom filter. Users see only the filters relevant to their groups in the full-search left panel, while users without an assigned group fall back to the Default Filter settings (which cannot be deleted). Each group can be assigned to only one filter setting; if a user belongs to multiple groups, visible filters are combined and hidden filters are applied conservatively. (AL-213373)

URI Override for Data Product Chat

Alation Cloud Service

Added support for specifying a URI override during data source authentication when chatting with data in a data product. The new text field allows users to provide a custom URI with parameters that differ from the default Delivery System URI, enabling greater flexibility in how connections can be established for Chat queries. (AL-215922)

Data Quality Standards

Alation Cloud Service

Introducing reusable, policy-driven data quality standards that make it easy to define, apply, and scale consistent quality rules across your most critical data assets. Data Quality Standards help ensure shared expectations between data producers and consumers, reinforce governance policies, and improve trust by standardizing how quality is measured and enforced across the organization. (AL-214457)

FinOps Reporting

Alation Cloud Service

Added Run Time charts in the Monitor details page to provide greater visibility into the cost and usage of your data quality monitoring. This feature provides clear insights into monitored assets, execution frequency, and overall consumption; helping teams optimize spend, forecast usage, and align data quality investments with business priorities. (AL-215984)

Alamigo in Compose

Alation Cloud Service

Alamigo is now supported in the Compose user interface. (AL-215359)

Support for Custom Content Security Policy (CSP)

Customer Managed

Alation now supports custom Content Security Policy (CSP) configuration for customer-managed (on-prem) deployments. This feature allows Server Admins to opt in to a more restrictive, security-hardened CSP to better protect against cross-site scripting (XSS) and other code-injection attacks, while maintaining compatibility with common third-party integrations. The restrictive CSP is disabled by default, so existing environments continue to use the current permissive policy unless explicitly enabled.

When turned on, the policy includes built-in support for widely used integrations. Administrators can also add custom trusted domains to support organization-specific integrations as needed. The feature is configured via two alation_conf settings: nginx.csp_custom_enabled (default False) to enable the restrictive CSP with default integrations, and nginx.csp_custom to specify additional trusted domains as a space-separated list. (AL-199087)

Integration API Debouncing

Alation Cloud Service, Customer Managed

Added support for debouncing public API integration jobs to reduce system load when processing small batch requests. When enabled via the alation.public_api.rdbms.integration.debounce_interval configuration flag, multiple calls to the RDBMS ingestion public APIs (/integration/v2/schema/, /integration/v2/table/, and /integration/v2/attribute/) are debounced and processed together, improving efficiency for high-frequency API usage patterns. (AL-219625)

Configurable Rich Text Field Truncation for Alation Analytics

Alation Cloud Service

For Alation Analytics, you can now enable configurable truncation of large TEXT and RICH_TEXT fields during Alation Analytics extraction to prevent extraction failures and out-of-memory errors caused by extremely large rich-text content. Truncation is only applicable to custom fields.

When the feature flag alation_analytics-v2.extract.rtf_text_truncation is enabled, TEXT and RICH_TEXT values are truncated during extraction to the size specified by alation_analytics-v2.extract.rtf_truncation_limit_in_bytes (default: 1 MB).

Truncation affects analytics extraction only and does not modify catalog data. This feature is disabled by default. (AL-186350)

Enhancements

• Updated the Admin user interface for Data Product entitlements to ensure the data product widget is displayed only when the Data Product feature flag is enabled, preventing unintended visibility when the feature is turned off. (AL-215425, Alation Cloud Service)

• Previously, only Server Admins could see and change the SSO configuration dropdown in Data Products, which limited delegated management. We’ve expanded visibility and adjusted the permission checks so that Data Product Admins who hold a role consuming the Creator license can now select and configure SSO for their data products without needing full Server Admin rights. (AL-219624, Alation Cloud Service)

• Removed the hard limit of 1,100 data sources in the upstream or downstream connections selector in Lineage settings and updated the component to scale better. Instead of loading all sources client-side, the selector and search are now powered by the Catalog Search API, which may surface broader (partial) matches in addition to exact matches. Results are now paginated, loading 50 items at a time, with Load More and Load Previous controls, and search can be used to quickly find specific data sources in large environments. (AL-207090)

• If the customer is using PrivateLink or Dedicated Access, Alation now displays an alternative user interface with the correct URL of the dedicated forward proxies. The option to use the shared proxies still exists. (AL-183194, Alation Cloud Service)

• Optimized the ETL extraction for Domains and Object Sets to use an incremental strategy. Previously, these objects were fully refreshed during every ETL run. (AL-203338)

Bug Fixes

• Fixed an issue where non-admin users could edit picker fields added to a domain template when the Unified Tags feature flag was enabled. Picker field editability on the Domain catalog page is now correctly enforced, ensuring that only users with appropriate roles can modify these fields. (AL-220530)

• Fixed an issue where the SCIM token creation section did not appear in Admin Settings even after SCIM was enabled. The SCIM token section now correctly displays in the Auth tab when directory sync is enabled (user_group_management.sync_from_directory_provider.enabled = true) and the sync protocol is set to SCIM (user_group_management.sync_from_directory_provider.protocol = scim).

• Fixed an issue where private dbt objects appeared in search results for Stewards but returned a 403 error when opened. Search query filters now respect granular permissions, ensuring users only see DBT objects they are authorized to access. (AL-218010)

• Fixed a document editing issue by ensuring a document page honors and applies permissions inherited from its immediate parent folder. When a document inherits permissions, the parent folder’s edit or view rules are now enforced correctly on the document. (AL-217718)

• When Unified Tags are enabled, duplicate Picker custom field names are now restricted consistently across both the Custom Fields UI and the public Custom Fields API. Other field types (such as Multi-Picker, Date, Rich Text, and Object Set) can be created or updated without restrictions. The public API now enforces the same duplicate-name validation as the user interface, preventing bulk creation or updates of picker fields that conflict with existing picker field names. (AL-216970)

• Fixed an issue where @-mentioned objects in catalog descriptions (rich-text custom fields) were not rendering correctly in notification emails for Stewards. Mentions now display as expected in notification emails. (For article objects, title hydration is skipped since they are being phased out to avoid unnecessary performance overhead.) (AL-216654)

• Fixed an issue where the SCIM token section was visible in the Auth tab of Admin Settings even when the SCIM feature was disabled. The section is now hidden unless the required SCIM feature flags are enabled, and the token status message has been updated to clearly read “The token expired on <time>” when a token has expired. (AL-216220)

• Fixed an issue where the SCIM token expiry banner appeared in the New User Experience UI even when SCIM sync was disabled. The banner is now shown only when directory sync is enabled (user_group_management.sync_from_directory_provider.enabled = true) and the sync protocol is set to SCIM (user_group_management.sync_from_directory_provider.protocol = scim). (AL-216030)

• Fixed an issue where the statement was not displayed on the execution results page if {""} appeared in comments or elsewhere within the statement. (AL-215356)

• Fixed an issue in Bulk Management document imports where uploading documents to a Document Hub folder could appear successful in the user interface but fail in the error report with a NoneType object has no attribute replace message. The document creation flow now correctly handles cases where title and description field IDs are present in the header row, ensuring imports complete reliably. (AL-215211)

• Fixed an issue where enabling the Unified Source Tags feature flag caused the migration script to fail with a duplicate key value violates unique constraint unique_source_tag error. The migration now correctly handles duplicate tag entries, which can occur when source tags are recreated in Snowflake, ensuring the unified tags migration completes successfully. (AL-215018)

• Resolved performance issues on the Alation Analytics ETL Status Dashboard that caused 504 Gateway Timeout errors due to slow queries exceeding load balancer limits. The ETL status query was optimized by removing unnecessary joins and consolidating timing data to use etl_metrics as the primary source, reducing execution time from over 60 seconds to under 1 second. (AL-214624)

• Addressed CIS Docker Benchmark recommendations. For customer-managed installations, inter-container communication (ICC) is now explicitly disabled on the default Docker bridge to further restrict network traffic, even though the default bridge is not otherwise used. For both Alation Cloud Service and Customer-managed deployments, the ADD instruction in Dockerfiles has been replaced with COPY in the base transform image used by Alation Analytics. (AL-214329)

• Fixed a bug affecting CSV metadata uploads for Virtual Data Sources where the has_user_defined_multipart_schema_names field was incorrectly initialized as None. The field is now explicitly set to False by default when data sources are created via the API, ensuring metadata uploads work as expected. (AL-214242)

• Previously, some SAP BO reports were still missing lineage even though their queries referenced HANA models. This update correctly handles nested prompts enabling lineage for the affected reports. (AL-213112)

• Fixed an issue where the Lineage chart did not switch to Incremental load even when it was set as the default. Lineage now correctly applies user preferences on first load. (AL-210722)

• Fixed an issue where newly created subfolders always defaulted to public access regardless of the parent folder’s permissions. Subfolders now copy the parent folder’s access settings at creation time, ensuring consistent access control. Permissions are cloned at subfolder creation time, not dynamically inherited (unlike document inheritance mode permission). Existing subfolders retain their current permissions unless updated manually. (AL-210101)

• Fixed an issue where scheduled queries for RDBMS data sources could fail and cause the active queue to back up. The scheduler now detects Daylight Saving Time (DST) transitions to prevent duplicate executions. (AL-209796)

• Fixed an issue where a single-reference field could end up containing multiple links after a linked document was deleted and later restored. The reference field now enforces its one-to-one relationship by replacing any existing reference (including soft-deleted ones) when a new reference is added, preventing duplicate links and ensuring consistent behavior. (AL-209373)

• Fixed a potential HTML injection issue in Workflow Center (Classic User Experience) where the workflow creation success message could render HTML content from the title. The snackbar alert now sanitizes HTML content, aligning behavior with the New User Experience. (AL-208704)

• Updated the Classic User Experience to enable Alamigo integration that can detect configuration issues and Metadata Extraction (MDE) job errors for supported connectors and provide guided, in-product assistance to help Admins resolve problems quickly.(AL-207941)

• Fixed an issue where the ETL job for the data_products_searches analytics table failed due to a unique constraint violation on search_id. The job now correctly handles cases with empty search_id values, preventing constraint violations and ensuring the load to the dimension table completes successfully. (AL-207936)

• Fixed a permissions issue where Catalog Admins with the correct custom field access were unable to upload a data dictionary for BI data source objects when updating descriptions. The data dictionary upload flow now correctly honors BI asset permissions, preventing errors like “You do not have permission to edit catalog object”. (AL-207096)

• Fixed an issue where Lineage continued to display catalog objects that were deleted, which confused users because those objects no longer appeared in the catalog user interface. With this change:

  • Soft-deleted (“GONE”) objects are hidden from lineage charts by default, so the lineage view matches what users expect to see in the Catalog.

  • Hard-deleted objects will still appear as temporary (“TMP”) objects in lineage charts (since lineage may still reference them).

  • Users can view soft-deleted objects in lineage charts by enabling the Show Gone objects filter. (AL-201146)