Drupal Urges Immediate Core Security Updates to Safeguard Websites
Drupal, the widely-used PHP-based content management system (CMS), has announced a critical security release scheduled for May 20, 2026, between 5-9 p.m. UTC. The Drupal Security Team emphasizes the urgency of this update, cautioning that exploits could emerge within hours or days following the release.
Website administrators are strongly advised to allocate time during the specified window to assess their sites’ configurations and apply necessary updates promptly. While not all setups may be affected, it’s crucial to determine if immediate action is required. The forthcoming advisory will provide detailed mitigation information.
To ensure a smooth update process, Drupal recommends that sites running supported versions upgrade to the latest patch before the release date. This proactive step allows administrators to address any existing upgrade issues ahead of time.
Patches will be available for the following supported branches of Drupal core:
– 11.3.x
– 11.2.x
– 10.6.x
– 10.5.x
Sites operating on these versions should update to the latest patch release within their respective branches in preparation for the security update.
The specific details of the security vulnerability have not been disclosed at this time. However, the severity is underscored by Drupal’s decision to provide updates for end-of-life minor core versions, including 11.1.x and 10.4.x. Administrators of sites running these versions should take the following actions:
– Sites on Drupal 11.1 or 11.0 should update to at least Drupal 11.1.9.
– Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least Drupal 10.4.9.
By applying these updates as soon as they are released on May 20, sites can mitigate potential vulnerabilities. It’s also advisable to plan for an upgrade to Drupal 11.3 or 10.6 in the near future to maintain optimal security.
For sites still operating on end-of-life major core versions, such as Drupal 8 and 9, manual application of patch files for Drupal 8.9 and 9.5 will be necessary. Drupal warns that while these patches may help mitigate vulnerabilities temporarily, there is no guarantee of their effectiveness, and they could introduce other issues or regressions.
Drupal strongly recommends that sites running Drupal 8 or 9 upgrade to at least Drupal 10.6 promptly. These older versions contain numerous previously disclosed security vulnerabilities that will not be addressed by Drupal Steward or the best-effort patch files.
Notably, Drupal 7 is not affected by the current security issue. However, sites on any version of Drupal 9 are advised to update to 9.5.11, and those on any version of Drupal 8 should update to Drupal 8.9.20 to ensure continued security.
