Drupal, the popular open-source content management system (CMS), has issued an urgent alert regarding an upcoming “core security release” scheduled for May 20, 2026, between 5-9 p.m. UTC. This critical update is designed to address a significant vulnerability that could have widespread implications for websites built on the platform. The Drupal Security Team strongly advises all users of supported Drupal branches to allocate time for immediate updates, as exploits for this issue could emerge rapidly.
The exact nature of the vulnerability has not been disclosed, but the proactive announcement and the broad scope of affected versions suggest it is a severe threat. Drupal maintainers have emphasized that not all configurations will be impacted, but users must verify their specific site status during the specified release window. Mitigation information will be provided with the advisory. To prepare, it is highly recommended to update to the latest available patch for your current Drupal version before the deadline to resolve any existing upgrade issues.
Drupal Security Release and Affected Branches
The upcoming security patches will be available for the following supported branches of Drupal core: 11.3.x, 11.2.x, 10.6.x, and 10.5.x. Drupal is urging users on these versions to apply the latest patch immediately in anticipation of the security window. This proactive approach aims to ensure a smoother and more secure transition once the critical update is deployed. Websites running on these supported versions are encouraged to act now to prevent potential downtime or security breaches.
For those operating on end-of-life minor core versions, Drupal is releasing specific versions to address the vulnerability. Users with Drupal 11.1 or 11.0 websites should update to at least Drupal 11.1.9. Similarly, sites running Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 are advised to update to at least Drupal 10.4.9. The intention is for these sites to apply the security update as soon as it becomes available on May 20 and subsequently upgrade to a fully supported version like Drupal 11.3 or 10.6 in the near future.
Addressing End-of-Life and Older Drupal Versions
Drupal has also issued guidance for websites running older, end-of-life major core versions, such as Drupal 8 and 9. For these legacy systems, manual application of patch files for Drupal 8.9 and 9.5 will be necessary. However, Drupal cautions that the effectiveness of these patches cannot be guaranteed, and they may introduce other issues or regressions. Despite these caveats, the provided patches may offer some mitigation against the vulnerability until an upgrade to a supported release can be completed.
The company strongly recommends that all Drupal 8 and 9 sites transition to at least Drupal 10.6 as soon as possible. It’s important to note that Drupal 8 and 9 contain numerous other previously disclosed security vulnerabilities that will not be addressed by these specific best-effort patch files. Drupal 7, meanwhile, is not affected by this particular security issue. For those on Drupal 9, an update to 9.5.11 is advised, while Drupal 8 users should update to Drupal 8.9.20.
The Drupal community anticipates potential exploitation of this vulnerability shortly after its release. Therefore, prompt action is crucial. Users should monitor official Drupal security advisories for the most current information and guidance. The next expected step for site administrators is to prepare their systems for the update and to execute the patching process within the designated window on May 20. The long-term strategy should involve upgrading to the latest stable Drupal versions to leverage ongoing security support and benefit from the platform’s continuous development.