diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3aff72840..dbfbaed52 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ All notable changes to this project will be documented in this file.
 - zookeeper: Add `3.9.5` ([#1515]).
 - hadoop: Add `3.5.0` and `3.4.3` ([#1511]).
 - airflow: Add `3.2.1` ([#1519]).
+- druid: Add `37.0.0` ([#1535]).
 
 ### Changed
 
@@ -44,6 +45,7 @@ All notable changes to this project will be documented in this file.
 - nifi: Remove `1.28.1`, deprecate `2.7.2` ([#1520]).
 - opa: Remove `1.8.0` ([#1509]).
 - spark-k8s: Remove `3.5.7` and `4.0.1` ([#1525]).
+- druid: Remove `34.0.0` ([#1535]).
 
 [#1446]: https://github.com/stackabletech/docker-images/pull/1446
 [#1452]: https://github.com/stackabletech/docker-images/pull/1452
@@ -70,6 +72,7 @@ All notable changes to this project will be documented in this file.
 [#1521]: https://github.com/stackabletech/docker-images/pull/1521
 [#1525]: https://github.com/stackabletech/docker-images/pull/1525
 [#1524]: https://github.com/stackabletech/docker-images/pull/1524
+[#1535]: https://github.com/stackabletech/docker-images/pull/1535
 
 ## [26.3.0] - 2026-03-16
 
diff --git a/druid/boil-config.toml b/druid/boil-config.toml
index 8084de0fb..d5eb7135e 100644
--- a/druid/boil-config.toml
+++ b/druid/boil-config.toml
@@ -1,7 +1,7 @@
 [metadata.registries]
 "oci.stackable.tech" = { namespace = "sdp" }
 
-# LTS since 24.11
+# Deprecated since 26.7
 [versions."30.0.1".local-images]
 # https://druid.apache.org/docs/30.0.1/operations/java/
 java-base = "17"
@@ -11,22 +11,24 @@ java-devel = "17"
 [versions."30.0.1".build-arguments]
 authorizer-version = "0.7.0"
 
-[versions."34.0.0".local-images]
-# https://druid.apache.org/docs/34.0.0/operations/java/
-java-base = "17"
-java-devel = "17"
-"hadoop/hadoop" = "3.4.2" # TODO: Bump to 3.4.3
-
-# Deprecated since 26.3
-[versions."34.0.0".build-arguments]
-authorizer-version = "0.7.0"
-
-# Supported
+# Deprecated since 26.7
 [versions."35.0.1".local-images]
 # https://druid.apache.org/docs/35.0.1/operations/java/
 java-base = "21"
 java-devel = "21"
-"hadoop/hadoop" = "3.4.2" # TODO: Bump to 3.4.3
+"hadoop/hadoop" = "3.4.3"
 
 [versions."35.0.1".build-arguments]
 authorizer-version = "0.7.0"
+
+# LTS since 26.7
+[versions."37.0.0".local-images]
+# https://druid.apache.org/docs/37.0.0/operations/java/
+java-base = "21"
+java-devel = "21"
+"hadoop/hadoop" = "3.4.3"
+
+[versions."37.0.0".build-arguments]
+# We don't need to bump this if no code changed in https://github.com/stackabletech/druid-opa-authorizer
+# But a PR still needs to be raised to add/remove versions and ensure it still builds.
+authorizer-version = "0.7.0"
diff --git a/druid/stackable/patches/34.0.0/0004-Updates-all-dependencies-that-have-a-new-patch-relea.patch b/druid/stackable/patches/34.0.0/0004-Updates-all-dependencies-that-have-a-new-patch-relea.patch
deleted file mode 100644
index 1196b2554..000000000
--- a/druid/stackable/patches/34.0.0/0004-Updates-all-dependencies-that-have-a-new-patch-relea.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From 90757e20d151e2744f5206df1f6b9fdc1992d78a Mon Sep 17 00:00:00 2001
-From: xeniape <xenia.fischer@stackable.tech>
-Date: Tue, 23 Sep 2025 09:42:23 +0200
-Subject: Updates all dependencies that have a new patch release available.
-
----
- extensions-core/druid-pac4j/pom.xml           |  2 +-
- extensions-core/kubernetes-extensions/pom.xml |  2 +-
- extensions-core/orc-extensions/pom.xml        |  2 +-
- pom.xml                                       | 24 ++++++++++++-------
- processing/pom.xml                            |  2 +-
- 5 files changed, 19 insertions(+), 13 deletions(-)
-
-diff --git a/extensions-core/druid-pac4j/pom.xml b/extensions-core/druid-pac4j/pom.xml
-index 8e742e5f17..f5836cb8a4 100644
---- a/extensions-core/druid-pac4j/pom.xml
-+++ b/extensions-core/druid-pac4j/pom.xml
-@@ -34,7 +34,7 @@
-   </parent>
- 
-   <properties>
--    <pac4j.version>4.5.7</pac4j.version>
-+    <pac4j.version>4.5.8</pac4j.version>
- 
-     <!-- Following must be updated along with any updates to pac4j version. One can find the compatible version of nimbus libraries in org.pac4j:pac4j-oidc dependencies-->
-     <nimbus.lang.tag.version>1.7</nimbus.lang.tag.version>
-diff --git a/extensions-core/kubernetes-extensions/pom.xml b/extensions-core/kubernetes-extensions/pom.xml
-index 9e9ddfd458..1ef515a68f 100644
---- a/extensions-core/kubernetes-extensions/pom.xml
-+++ b/extensions-core/kubernetes-extensions/pom.xml
-@@ -34,7 +34,7 @@
-   </parent>
- 
-   <properties>
--    <kubernetes.client.version>19.0.0</kubernetes.client.version>
-+    <kubernetes.client.version>19.0.2</kubernetes.client.version>
-   </properties>
- 
- 
-diff --git a/extensions-core/orc-extensions/pom.xml b/extensions-core/orc-extensions/pom.xml
-index 656f34134f..376337f009 100644
---- a/extensions-core/orc-extensions/pom.xml
-+++ b/extensions-core/orc-extensions/pom.xml
-@@ -31,7 +31,7 @@
-     </parent>
-     <modelVersion>4.0.0</modelVersion>
-     <properties>
--        <orc.version>1.7.6</orc.version>
-+        <orc.version>1.7.11</orc.version>
-     </properties>
-     <dependencies>
-         <dependency>
-diff --git a/pom.xml b/pom.xml
-index 369550e166..ae6f8f9c15 100644
---- a/pom.xml
-+++ b/pom.xml
-@@ -73,7 +73,7 @@
-         <java.version>11</java.version>
-         <maven.compiler.release>${java.version}</maven.compiler.release>
-         <project.build.resourceEncoding>UTF-8</project.build.resourceEncoding>
--        <aether.version>0.9.0.M2</aether.version>
-+        <aether.version>0.9.1.v20140329</aether.version>
-         <apache.curator.version>5.8.0</apache.curator.version>
-         <apache.kafka.version>3.9.1</apache.kafka.version>
-         <!-- when updating apache ranger, verify the usage of aws-bundle-sdk vs aws-logs-sdk
-@@ -90,11 +90,14 @@
-         <confluent.version>6.2.15</confluent.version>
-         <cronutils.version>9.2.0</cronutils.version>
-         <datasketches.version>4.2.0</datasketches.version>
--        <datasketches.memory.version>2.2.0</datasketches.memory.version>
-+        <datasketches.memory.version>2.2.1</datasketches.memory.version>
-         <derby.version>10.14.2.0</derby.version>
--        <dropwizard.metrics.version>4.2.22</dropwizard.metrics.version>
-+        <dropwizard.metrics.version>4.2.30</dropwizard.metrics.version>
-         <errorprone.version>2.35.1</errorprone.version>
--        <fastutil.version>8.5.4</fastutil.version>
-+        <!-- An additional null check was introduced in fastutils 8.5.7 that breaks data ingestion tasks:
-+             https://github.com/stackabletech/druid-operator/issues/595
-+             https://github.com/vigna/fastutil/commit/598a4fd064e193be69ea324aa86947477c82ede8 -->
-+        <fastutil.version>8.5.6</fastutil.version>
-         <guava.version>32.1.3-jre</guava.version>
-         <guice.version>5.1.0</guice.version>
-         <hamcrest.version>1.3</hamcrest.version>
-@@ -102,13 +105,13 @@
-         <jersey.version>1.19.4</jersey.version>
-         <jackson.core.version>2.18.4.1</jackson.core.version>
-         <jackson.version>2.18.4</jackson.version>
--        <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
-+        <codehaus.jackson.version>1.9.14-MULE-002</codehaus.jackson.version>
-         <log4j.version>2.22.1</log4j.version>
-         <mysql.version>8.2.0</mysql.version>
-         <mariadb.version>2.7.3</mariadb.version>
-         <netty3.version>3.10.6.Final</netty3.version>
-         <netty4.version>4.1.122.Final</netty4.version>
--        <postgresql.version>42.7.2</postgresql.version>
-+        <postgresql.version>42.7.5</postgresql.version>
-         <protobuf.version>3.25.5</protobuf.version>
-         <resilience4j.version>1.3.1</resilience4j.version>
-         <slf4j.version>2.0.16</slf4j.version>
-@@ -117,18 +120,21 @@
-         <hadoop.compile.version>3.3.6</hadoop.compile.version>
-         <graaljs.version>22.3.5</graaljs.version>
-         <mockito.version>5.14.2</mockito.version>
-+        <!-- mockito-inline artifact was removed in mockito 5.3 (mockito 5.x is required for Java >17),
-+             however it is required in some cases when running against mockito 4.x (mockito 4.x is required for Java <11. We use the following property to pick the proper artifact based on Java version (see pre-java-11 profile) -->
-+        <mockito.inline.artifact>core</mockito.inline.artifact>
-         <aws.sdk.version>1.12.784</aws.sdk.version>
--        <caffeine.version>2.8.0</caffeine.version>
-+        <caffeine.version>2.8.8</caffeine.version>
-         <jacoco.version>0.8.12</jacoco.version>
-         <testcontainers.version>1.21.3</testcontainers.version>
-         <hibernate-validator.version>6.2.5.Final</hibernate-validator.version>
--        <httpclient.version>4.5.13</httpclient.version>
-+        <httpclient.version>4.5.14</httpclient.version>
-         <!-- When upgrading ZK, edit docs and integration tests as well (integration-tests/docker-base/setup.sh) -->
-         <zookeeper.version>3.8.4</zookeeper.version>
-         <checkerframework.version>3.48.1</checkerframework.version>
-         <com.google.apis.client.version>2.2.0</com.google.apis.client.version>
-         <com.google.http.client.apis.version>1.42.3</com.google.http.client.apis.version>
--        <com.google.apis.compute.version>v1-rev20230606-2.0.0</com.google.apis.compute.version>
-+        <com.google.apis.compute.version>v1-rev20250107-2.0.0</com.google.apis.compute.version>
-         <com.google.cloud.storage.version>2.29.1</com.google.cloud.storage.version>
-         <jdk.strong.encapsulation.argLine>
-             <!-- Strong encapsulation parameters -->
-diff --git a/processing/pom.xml b/processing/pom.xml
-index 05232d48c1..a10f42d189 100644
---- a/processing/pom.xml
-+++ b/processing/pom.xml
-@@ -36,7 +36,7 @@
-     <sigar.base.version>1.6.5</sigar.base.version>
-     <sigar.version>${sigar.base.version}.132</sigar.version>
-     <ipaddress.version>5.3.4</ipaddress.version>
--    <oshi.version>6.4.4</oshi.version>
-+    <oshi.version>6.4.13</oshi.version>
-   </properties>
- 
-   <dependencies>
diff --git a/druid/stackable/patches/34.0.0/0007-Update-CycloneDX-plugin.patch b/druid/stackable/patches/34.0.0/0007-Update-CycloneDX-plugin.patch
deleted file mode 100644
index 88f2980be..000000000
--- a/druid/stackable/patches/34.0.0/0007-Update-CycloneDX-plugin.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From e21f0654a1a9f62cb5a679713bb3c6448396b1c5 Mon Sep 17 00:00:00 2001
-From: xeniape <xenia.fischer@stackable.tech>
-Date: Tue, 23 Sep 2025 09:43:11 +0200
-Subject: Update CycloneDX plugin
-
----
- pom.xml | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/pom.xml b/pom.xml
-index ae6f8f9c15..83f10a4513 100644
---- a/pom.xml
-+++ b/pom.xml
-@@ -1817,7 +1817,11 @@
-             <plugin>
-                 <groupId>org.cyclonedx</groupId>
-                 <artifactId>cyclonedx-maven-plugin</artifactId>
--                <version>2.7.9</version>
-+                <version>2.8.0</version>
-+                <configuration>
-+                    <projectType>application</projectType>
-+                    <schemaVersion>1.5</schemaVersion>
-+                </configuration>
-                 <executions>
-                     <execution>
-                         <phase>package</phase>
diff --git a/druid/stackable/patches/34.0.0/0008-Fix-CVE-2024-36114.patch b/druid/stackable/patches/34.0.0/0008-Fix-CVE-2024-36114.patch
deleted file mode 100644
index f1482637f..000000000
--- a/druid/stackable/patches/34.0.0/0008-Fix-CVE-2024-36114.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 224add10a0b0cac239ba44d0a7e576ae715acc72 Mon Sep 17 00:00:00 2001
-From: xeniape <xenia.fischer@stackable.tech>
-Date: Tue, 23 Sep 2025 09:43:28 +0200
-Subject: Fix CVE-2024-36114
-
-Fix CVE-2024-36114
-see https://github.com/stackabletech/vulnerabilities/issues/834
-
-Aircompressor is a library with ports of the Snappy, LZO, LZ4, and
-Zstandard compression algorithms to Java. All decompressor
-implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash
-the JVM for certain input, and in some cases also leak the content of
-other memory of the Java process (which could contain sensitive
-information). When decompressing certain data, the decompressors try to
-access memory outside the bounds of the given byte arrays or byte
-buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to
-speed up memory access, no additional bounds checks are performed and
-this has similar security consequences as out-of-bounds access in C or
-C++, namely it can lead to non-deterministic behavior or crash the JVM.
-Users should update to Aircompressor 0.27 or newer where these issues
-have been fixed. When decompressing data from untrusted users, this can
-be exploited for a denial-of-service attack by crashing the JVM, or to
-leak other sensitive information from the Java process. There are no
-known workarounds for this issue.
----
- pom.xml | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/pom.xml b/pom.xml
-index 83f10a4513..c07e203713 100644
---- a/pom.xml
-+++ b/pom.xml
-@@ -287,6 +287,12 @@
-     </pluginRepositories>
-     <dependencyManagement>
-         <dependencies>
-+            <!-- Mitigate CVE-2024-36114: See https://github.com/stackabletech/vulnerabilities/issues/834 -->
-+            <dependency>
-+                <groupId>io.airlift</groupId>
-+                <artifactId>aircompressor</artifactId>
-+                <version>0.27</version>
-+            </dependency>
-             <!-- Compile Scope -->
-             <dependency>
-                 <groupId>commons-codec</groupId>
diff --git a/druid/stackable/patches/34.0.0/0001-Removes-all-traces-of-the-druid-ranger-extension.patch b/druid/stackable/patches/37.0.0/0001-Removes-all-traces-of-the-druid-ranger-extension.patch
similarity index 79%
rename from druid/stackable/patches/34.0.0/0001-Removes-all-traces-of-the-druid-ranger-extension.patch
rename to druid/stackable/patches/37.0.0/0001-Removes-all-traces-of-the-druid-ranger-extension.patch
index fac6e8e30..b7003f05a 100644
--- a/druid/stackable/patches/34.0.0/0001-Removes-all-traces-of-the-druid-ranger-extension.patch
+++ b/druid/stackable/patches/37.0.0/0001-Removes-all-traces-of-the-druid-ranger-extension.patch
@@ -1,4 +1,4 @@
-From 515da2a96db1835133e2b367d4c006ce4fcf8a3a Mon Sep 17 00:00:00 2001
+From 319acbb818938c36b27f875e243c157dfc32fff4 Mon Sep 17 00:00:00 2001
 From: xeniape <xenia.fischer@stackable.tech>
 Date: Mon, 22 Sep 2025 14:20:53 +0200
 Subject: Removes all traces of the druid ranger extension
@@ -9,27 +9,27 @@ Subject: Removes all traces of the druid ranger extension
  2 files changed, 3 deletions(-)
 
 diff --git a/distribution/pom.xml b/distribution/pom.xml
-index f7e9766494..7c2573fbd4 100644
+index a1b2da00d3..51ce7563ea 100644
 --- a/distribution/pom.xml
 +++ b/distribution/pom.xml
-@@ -460,8 +460,6 @@
-                                         <argument>org.apache.druid.extensions.contrib:druid-rabbit-indexing-service</argument>
+@@ -448,8 +448,6 @@
                                          <argument>-c</argument>
                                          <argument>org.apache.druid.extensions.contrib:grpc-query</argument>
--                                        <argument>-c</argument>
+                                         <argument>-c</argument>
 -                                        <argument>org.apache.druid.extensions.contrib:druid-ranger-security</argument>
+-                                        <argument>-c</argument>
+                                         <argument>org.apache.druid.extensions.contrib:druid-exact-count-bitmap</argument>
                                      </arguments>
                                  </configuration>
-                             </execution>
 diff --git a/pom.xml b/pom.xml
-index 35ebdfdc34..829ddbd9e7 100644
+index 614ab31c09..6548d3a661 100644
 --- a/pom.xml
 +++ b/pom.xml
-@@ -260,7 +260,6 @@
+@@ -266,7 +266,6 @@
          <module>extensions-contrib/druid-deltalake-extensions</module>
          <module>extensions-contrib/spectator-histogram</module>
          <module>extensions-contrib/rabbit-stream-indexing-service</module>
 -        <module>extensions-contrib/druid-ranger-security</module>
          <!-- distribution packaging -->
          <module>distribution</module>
-         <!-- Revised integration tests -->
+         <!-- more test stuff -->
diff --git a/druid/stackable/patches/34.0.0/0002-Include-Prometheus-emitter-in-distribution.patch b/druid/stackable/patches/37.0.0/0002-Include-Prometheus-emitter-in-distribution.patch
similarity index 93%
rename from druid/stackable/patches/34.0.0/0002-Include-Prometheus-emitter-in-distribution.patch
rename to druid/stackable/patches/37.0.0/0002-Include-Prometheus-emitter-in-distribution.patch
index d6a649fff..0fef4266a 100644
--- a/druid/stackable/patches/34.0.0/0002-Include-Prometheus-emitter-in-distribution.patch
+++ b/druid/stackable/patches/37.0.0/0002-Include-Prometheus-emitter-in-distribution.patch
@@ -1,4 +1,4 @@
-From c836d04ca08c6f341817096dcca7d8231c25ed66 Mon Sep 17 00:00:00 2001
+From bd9e330c263c4934fdf1db5aab9ebaad052e96a1 Mon Sep 17 00:00:00 2001
 From: xeniape <xenia.fischer@stackable.tech>
 Date: Mon, 22 Sep 2025 14:23:11 +0200
 Subject: Include Prometheus emitter in distribution
@@ -8,10 +8,10 @@ Subject: Include Prometheus emitter in distribution
  1 file changed, 46 insertions(+)
 
 diff --git a/distribution/pom.xml b/distribution/pom.xml
-index 7c2573fbd4..21954e8fb4 100644
+index 51ce7563ea..c238ef8946 100644
 --- a/distribution/pom.xml
 +++ b/distribution/pom.xml
-@@ -468,6 +468,52 @@
+@@ -457,5 +457,51 @@
                  </plugins>
              </build>
          </profile>
@@ -61,6 +61,5 @@ index 7c2573fbd4..21954e8fb4 100644
 +                </plugins>
 +            </build>
 +        </profile>
-         <profile>
-             <id>integration-test</id>
-             <activation>
+     </profiles>
+ </project>
diff --git a/druid/stackable/patches/34.0.0/0003-Stop-building-unused-extensions.patch b/druid/stackable/patches/37.0.0/0003-Stop-building-unused-extensions.patch
similarity index 86%
rename from druid/stackable/patches/34.0.0/0003-Stop-building-unused-extensions.patch
rename to druid/stackable/patches/37.0.0/0003-Stop-building-unused-extensions.patch
index 03de5eaca..b4cdb2c4a 100644
--- a/druid/stackable/patches/34.0.0/0003-Stop-building-unused-extensions.patch
+++ b/druid/stackable/patches/37.0.0/0003-Stop-building-unused-extensions.patch
@@ -1,4 +1,4 @@
-From 8a1e8f9c4eaa419bb59825e645cbacd0b4ec7d34 Mon Sep 17 00:00:00 2001
+From 62239df37ea08117560b9c57e5242bfe7fb8bdb2 Mon Sep 17 00:00:00 2001
 From: xeniape <xenia.fischer@stackable.tech>
 Date: Tue, 23 Sep 2025 09:31:00 +0200
 Subject: Stop building unused extensions.
@@ -11,19 +11,21 @@ extensions from the build.
  1 file changed, 29 deletions(-)
 
 diff --git a/pom.xml b/pom.xml
-index 829ddbd9e7..369550e166 100644
+index 6548d3a661..d252009bc4 100644
 --- a/pom.xml
 +++ b/pom.xml
-@@ -229,37 +229,8 @@
-         <module>extensions-core/testing-tools</module>
+@@ -235,37 +235,8 @@
+         <module>extensions-core/druid-testcontainers</module>
          <!-- Community extensions -->
          <module>extensions-contrib/compressed-bigdecimal</module>
 -        <module>extensions-contrib/influx-extensions</module>
 -        <module>extensions-contrib/cassandra-storage</module>
 -        <module>extensions-contrib/dropwizard-emitter</module>
 -        <module>extensions-contrib/cloudfiles-extensions</module>
+-        <module>extensions-contrib/consul-extensions</module>
 -        <module>extensions-contrib/graphite-emitter</module>
 -        <module>extensions-contrib/distinctcount</module>
+-        <module>extensions-contrib/druid-exact-count-bitmap</module>
 -        <module>extensions-contrib/statsd-emitter</module>
 -        <module>extensions-contrib/time-min-max</module>
 -        <module>extensions-contrib/virtual-columns</module>
@@ -33,8 +35,6 @@ index 829ddbd9e7..369550e166 100644
          <module>extensions-contrib/kafka-emitter</module>
 -        <module>extensions-contrib/redis-cache</module>
 -        <module>extensions-contrib/opentsdb-emitter</module>
--        <module>extensions-contrib/materialized-view-maintenance</module>
--        <module>extensions-contrib/materialized-view-selection</module>
 -        <module>extensions-contrib/momentsketch</module>
 -        <module>extensions-contrib/moving-average-query</module>
 -        <module>extensions-contrib/tdigestsketch</module>
@@ -51,4 +51,4 @@ index 829ddbd9e7..369550e166 100644
 -        <module>extensions-contrib/rabbit-stream-indexing-service</module>
          <!-- distribution packaging -->
          <module>distribution</module>
-         <!-- Revised integration tests -->
+         <!-- more test stuff -->
diff --git a/druid/stackable/patches/34.0.0/0005-Include-jackson-dataformat-xml-dependency.patch b/druid/stackable/patches/37.0.0/0004-Include-jackson-dataformat-xml-dependency.patch
similarity index 84%
rename from druid/stackable/patches/34.0.0/0005-Include-jackson-dataformat-xml-dependency.patch
rename to druid/stackable/patches/37.0.0/0004-Include-jackson-dataformat-xml-dependency.patch
index 87678a6f1..5a946ba9b 100644
--- a/druid/stackable/patches/34.0.0/0005-Include-jackson-dataformat-xml-dependency.patch
+++ b/druid/stackable/patches/37.0.0/0004-Include-jackson-dataformat-xml-dependency.patch
@@ -1,4 +1,4 @@
-From 602c632042726fb4f71302d18144b540df8b42e9 Mon Sep 17 00:00:00 2001
+From 63a7e2865e5d21eb0be7474287101e1fd66325e6 Mon Sep 17 00:00:00 2001
 From: xeniape <xenia.fischer@stackable.tech>
 Date: Tue, 23 Sep 2025 09:42:41 +0200
 Subject: Include jackson-dataformat-xml dependency.
@@ -12,12 +12,12 @@ build.
  1 file changed, 5 insertions(+)
 
 diff --git a/server/pom.xml b/server/pom.xml
-index fbe2a2a480..f099199c01 100644
+index 06f26c6da6..79e0dafe5f 100644
 --- a/server/pom.xml
 +++ b/server/pom.xml
-@@ -218,6 +218,11 @@
+@@ -212,6 +212,11 @@
+             <groupId>org.checkerframework</groupId>
              <artifactId>checker-qual</artifactId>
-             <version>${checkerframework.version}</version>
          </dependency>
 +        <dependency>
 +          <!-- This is an optional dependency of log4j which is needed to use XmlLayout -->
diff --git a/druid/stackable/patches/34.0.0/0006-Stop-building-the-tar.gz-distribution.patch b/druid/stackable/patches/37.0.0/0005-Stop-building-the-tar.gz-distribution.patch
similarity index 89%
rename from druid/stackable/patches/34.0.0/0006-Stop-building-the-tar.gz-distribution.patch
rename to druid/stackable/patches/37.0.0/0005-Stop-building-the-tar.gz-distribution.patch
index ab78fdd3a..9ff82e926 100644
--- a/druid/stackable/patches/34.0.0/0006-Stop-building-the-tar.gz-distribution.patch
+++ b/druid/stackable/patches/37.0.0/0005-Stop-building-the-tar.gz-distribution.patch
@@ -1,4 +1,4 @@
-From 781c8de56f5b6f0d050133f268cff7f9a1bceec9 Mon Sep 17 00:00:00 2001
+From 855139430282a4d12ffdad20d62ce9753a236b38 Mon Sep 17 00:00:00 2001
 From: xeniape <xenia.fischer@stackable.tech>
 Date: Tue, 23 Sep 2025 09:42:51 +0200
 Subject: Stop building the tar.gz distribution.
@@ -10,7 +10,7 @@ again. So, instead we just skip the compression step entirely.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/distribution/src/assembly/assembly.xml b/distribution/src/assembly/assembly.xml
-index ff8e0d2fdd..f9daa49e21 100644
+index 2b510ea85d..0fe10032ca 100644
 --- a/distribution/src/assembly/assembly.xml
 +++ b/distribution/src/assembly/assembly.xml
 @@ -23,7 +23,7 @@
diff --git a/druid/stackable/patches/37.0.0/0006-Update-CycloneDX-plugin.patch b/druid/stackable/patches/37.0.0/0006-Update-CycloneDX-plugin.patch
new file mode 100644
index 000000000..9950ee706
--- /dev/null
+++ b/druid/stackable/patches/37.0.0/0006-Update-CycloneDX-plugin.patch
@@ -0,0 +1,22 @@
+From 89b19164bcae17bc8f12794afcaa13aa8f14a6ed Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Tue, 16 Jun 2026 13:18:46 +0200
+Subject: Update CycloneDX plugin
+
+---
+ pom.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pom.xml b/pom.xml
+index d252009bc4..a4a8f0e1e8 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1969,7 +1969,7 @@
+             <plugin>
+                 <groupId>org.cyclonedx</groupId>
+                 <artifactId>cyclonedx-maven-plugin</artifactId>
+-                <version>2.7.9</version>
++                <version>2.9.1</version>
+                 <executions>
+                     <execution>
+                         <phase>package</phase>
diff --git a/druid/stackable/patches/34.0.0/0009-Update-FMPP-version.patch b/druid/stackable/patches/37.0.0/0007-Update-FMPP-version.patch
similarity index 88%
rename from druid/stackable/patches/34.0.0/0009-Update-FMPP-version.patch
rename to druid/stackable/patches/37.0.0/0007-Update-FMPP-version.patch
index baf268458..f1bc69b1b 100644
--- a/druid/stackable/patches/34.0.0/0009-Update-FMPP-version.patch
+++ b/druid/stackable/patches/37.0.0/0007-Update-FMPP-version.patch
@@ -1,4 +1,4 @@
-From a520812e38cad3613b1b1a096cd0fc8ef7e420c7 Mon Sep 17 00:00:00 2001
+From 289ac13b8e8b2f4b43b1db6b39a52b1df07cf260 Mon Sep 17 00:00:00 2001
 From: xeniape <xenia.fischer@stackable.tech>
 Date: Tue, 23 Sep 2025 09:43:41 +0200
 Subject: Update FMPP version
@@ -12,10 +12,10 @@ which we don't want.
  1 file changed, 7 insertions(+)
 
 diff --git a/sql/pom.xml b/sql/pom.xml
-index 1fe6cf3389..02db6e49fb 100644
+index d62a265bbf..b8c07203bb 100644
 --- a/sql/pom.xml
 +++ b/sql/pom.xml
-@@ -364,6 +364,13 @@
+@@ -382,6 +382,13 @@
        <plugin>
          <groupId>com.googlecode.fmpp-maven-plugin</groupId>
          <artifactId>fmpp-maven-plugin</artifactId>
diff --git a/druid/stackable/patches/37.0.0/0008-Stop-building-the-embedded-integration-tests.patch b/druid/stackable/patches/37.0.0/0008-Stop-building-the-embedded-integration-tests.patch
new file mode 100644
index 000000000..b7b729cf4
--- /dev/null
+++ b/druid/stackable/patches/37.0.0/0008-Stop-building-the-embedded-integration-tests.patch
@@ -0,0 +1,21 @@
+From 1f518eb907c67a2c2e4556f6797d0033add57cb2 Mon Sep 17 00:00:00 2001
+From: Techassi <git@techassi.dev>
+Date: Wed, 21 Jan 2026 11:32:20 +0100
+Subject: Stop building the embedded integration tests
+
+---
+ pom.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/pom.xml b/pom.xml
+index a4a8f0e1e8..73ce663463 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -241,7 +241,6 @@
+         <module>distribution</module>
+         <!-- more test stuff -->
+         <module>quidem-ut</module>
+-        <module>embedded-tests</module>
+     </modules>
+ 
+     <repositories>
diff --git a/druid/stackable/patches/37.0.0/0009-feat-add-configurable-clientAuthenticationMethod-to-.patch b/druid/stackable/patches/37.0.0/0009-feat-add-configurable-clientAuthenticationMethod-to-.patch
new file mode 100644
index 000000000..d22cb12d9
--- /dev/null
+++ b/druid/stackable/patches/37.0.0/0009-feat-add-configurable-clientAuthenticationMethod-to-.patch
@@ -0,0 +1,121 @@
+From 4eb28b98f7def7350db05b1e14a92fc5de80af63 Mon Sep 17 00:00:00 2001
+From: dervoeti <lukas.krug@stackable.tech>
+Date: Thu, 5 Feb 2026 15:00:23 +0100
+Subject: feat: add configurable clientAuthenticationMethod to druid-pac4j OIDC
+ config
+
+---
+ .../druid/security/pac4j/OIDCConfig.java      | 13 ++++++++-
+ .../security/pac4j/Pac4jAuthenticator.java    |  5 ++++
+ .../druid/security/pac4j/OIDCConfigTest.java  | 28 +++++++++++++++++++
+ 3 files changed, 45 insertions(+), 1 deletion(-)
+
+diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java
+index 50b04455db..d83e04717a 100644
+--- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java
++++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java
+@@ -44,13 +44,17 @@ public class OIDCConfig
+   @JsonProperty
+   private final String scope;
+ 
++  @JsonProperty
++  private final String clientAuthenticationMethod;
++
+   @JsonCreator
+   public OIDCConfig(
+       @JsonProperty("clientID") String clientID,
+       @JsonProperty("clientSecret") PasswordProvider clientSecret,
+       @JsonProperty("discoveryURI") String discoveryURI,
+       @JsonProperty("oidcClaim") String oidcClaim,
+-      @JsonProperty("scope") @Nullable String scope
++      @JsonProperty("scope") @Nullable String scope,
++      @JsonProperty("clientAuthenticationMethod") @Nullable String clientAuthenticationMethod
+   )
+   {
+     this.clientID = Preconditions.checkNotNull(clientID, "null clientID");
+@@ -58,6 +62,7 @@ public class OIDCConfig
+     this.discoveryURI = Preconditions.checkNotNull(discoveryURI, "null discoveryURI");
+     this.oidcClaim = oidcClaim == null ? DEFAULT_SCOPE : oidcClaim;
+     this.scope = scope;
++    this.clientAuthenticationMethod = clientAuthenticationMethod;
+   }
+ 
+   @JsonProperty
+@@ -89,4 +94,10 @@ public class OIDCConfig
+   {
+     return scope;
+   }
++
++  @JsonProperty
++  public String getClientAuthenticationMethod()
++  {
++    return clientAuthenticationMethod;
++  }
+ }
+diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
+index ef30f4c7e6..59a6fa0782 100644
+--- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
++++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
+@@ -27,6 +27,7 @@ import com.google.common.base.Supplier;
+ import com.google.common.base.Suppliers;
+ import com.google.common.primitives.Ints;
+ import com.google.inject.Provider;
++import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+ import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+ import org.apache.druid.server.security.AuthenticationResult;
+ import org.apache.druid.server.security.Authenticator;
+@@ -132,6 +133,10 @@ public class Pac4jAuthenticator implements Authenticator
+     oidcConf.setSecret(oidcConfig.getClientSecret().getPassword());
+     oidcConf.setDiscoveryURI(oidcConfig.getDiscoveryURI());
+     oidcConf.setScope(oidcConfig.getScope());
++    if (oidcConfig.getClientAuthenticationMethod() != null) {
++      oidcConf.setClientAuthenticationMethod(
++          ClientAuthenticationMethod.parse(oidcConfig.getClientAuthenticationMethod()));
++    }
+     oidcConf.setExpireSessionWithToken(true);
+     oidcConf.setUseNonce(true);
+     oidcConf.setReadTimeout(Ints.checkedCast(pac4jCommonConfig.getReadTimeout().getMillis()));
+diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java
+index c4192c020d..0b6128e61b 100644
+--- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java
++++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java
+@@ -46,6 +46,7 @@ public class OIDCConfigTest
+     Assert.assertEquals("testdiscoveryuri", conf.getDiscoveryURI());
+     Assert.assertEquals("name", conf.getOidcClaim());
+     Assert.assertEquals("testscope", conf.getScope());
++    Assert.assertNull(conf.getClientAuthenticationMethod());
+   }
+ 
+   @Test
+@@ -72,4 +73,31 @@ public class OIDCConfigTest
+     Assert.assertEquals("email", conf.getOidcClaim());
+     Assert.assertEquals("testscope", conf.getScope());
+   }
++
++  @Test
++  public void testSerdeWithClientAuthenticationMethod() throws Exception
++  {
++    ObjectMapper jsonMapper = new ObjectMapper();
++
++    String jsonStr = "{\n"
++                     + "  \"clientID\": \"testid\",\n"
++                     + "  \"clientSecret\": \"testsecret\",\n"
++                     + "  \"discoveryURI\": \"testdiscoveryuri\",\n"
++                     + "  \"oidcClaim\": \"email\",\n"
++                     + "  \"scope\": \"testscope\",\n"
++                     + "  \"clientAuthenticationMethod\": \"client_secret_post\"\n"
++                     + "}\n";
++
++    OIDCConfig conf = jsonMapper.readValue(
++        jsonMapper.writeValueAsString(jsonMapper.readValue(jsonStr, OIDCConfig.class)),
++        OIDCConfig.class
++    );
++
++    Assert.assertEquals("testid", conf.getClientID());
++    Assert.assertEquals("testsecret", conf.getClientSecret().getPassword());
++    Assert.assertEquals("testdiscoveryuri", conf.getDiscoveryURI());
++    Assert.assertEquals("email", conf.getOidcClaim());
++    Assert.assertEquals("testscope", conf.getScope());
++    Assert.assertEquals("client_secret_post", conf.getClientAuthenticationMethod());
++  }
+ }
diff --git a/druid/stackable/patches/34.0.0/patchable.toml b/druid/stackable/patches/37.0.0/patchable.toml
similarity index 51%
rename from druid/stackable/patches/34.0.0/patchable.toml
rename to druid/stackable/patches/37.0.0/patchable.toml
index c079a70cf..4bdbbe8ae 100644
--- a/druid/stackable/patches/34.0.0/patchable.toml
+++ b/druid/stackable/patches/37.0.0/patchable.toml
@@ -1,2 +1,2 @@
 mirror = "https://github.com/stackabletech/druid.git"
-base = "aa107ecd801a1f1c31e9965ee020f2cea9bda613"
+base = "b206640c830bc2c3bdc2867cfb317c902a0e1acb"