Drupal has announced a planned release of a core security update for all supported branches, scheduled for May 20, 2026, in the 17:00–21:00 UTC window. The Drupal security team has warned that exploits may appear within hours or days after publication and urged administrators to reserve time for immediate updating. The affected branches are Drupal 11.3.x, 11.2.x, 10.6.x, and 10.5.x, as well as—by way of exception—outdated minor versions. Drupal 7 is reportedly not affected by this issue.

What is known about the vulnerability

The exact nature of the vulnerability has not yet been disclosed—the CVE identifier and CVSS score are not available. However, several indirect signs point to a high degree of severity of the issue:

• Drupal has taken the unusual step of releasing patches for the outdated minor branches 11.1.x and 10.4.x, which no longer receive regular support.
• The security team explicitly warned about the possibility of exploits appearing quickly after the details are published.
• For sites running fully end-of-life major versions (Drupal 8 and 9), manual patches have been prepared—a measure used only in cases of serious threats.

According to the official Drupal release schedule page, not all configurations are vulnerable. Information on mitigation methods will be included in the security advisory to be published on the day the patch is released.

Affected versions and target updates

Patches are expected for the following supported Drupal core branches:

• 11.3.x
• 11.2.x
• 10.6.x
• 10.5.x

For sites on outdated minor versions, Drupal has provided the following pre-update recommendations:

• Sites running Drupal 11.1 or 11.0 — update to at least Drupal 11.1.9.
• Sites running Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 — update to at least Drupal 10.4.9.
• Sites running any version of Drupal 9 — update to 9.5.11.
• Sites running any version of Drupal 8 — update to 8.9.20.

For Drupal 8.9 and 9.5, patch files will be provided that must be applied manually. Drupal has warned that there is no guarantee these fixes will work correctly—they may lead to regressions or other issues. Nevertheless, the patches are reported to help mitigate the vulnerability until migration to a supported version is completed.

Impact assessment

Drupal remains one of the most widely used enterprise-grade CMS platforms, broadly adopted by government agencies, educational institutions, and large enterprises. The decision to release patches even for long end-of-life versions indicates that the security team considers the potential impact to be significant.

Of particular concern is the situation with sites running Drupal 8 and 9. Drupal has explicitly stated that these major versions contain numerous previously disclosed vulnerabilities that will not be addressed either by the Drupal Steward program or by the provided patches. This means that even after applying the emergency fix, such sites will remain vulnerable to other known attacks.

Practical recommendations

To minimize risk before and during the May 20 update window, the following sequence of actions is recommended:

1. Before May 20: update the site to the latest available patch for your Drupal branch. This will allow you to eliminate potential compatibility issues in advance and simplify the application of the security update.
2. May 20, 17:00–21:00 UTC: monitor the publication of the security advisory on the Drupal release schedule page. Determine whether your configuration is affected and apply the patch immediately.
3. For sites on Drupal 8 and 9: apply the manual patches for versions 8.9 and 9.5 respectively, but plan migration to Drupal 10.6 or later in the near term.
4. After updating: sites on outdated minor versions (11.1.x, 10.4.x) should migrate to supported branches—Drupal 11.3 or 10.6—as soon as possible.

Administrators of sites on supported Drupal 10.x and 11.x branches should update the core to the latest patch of their current branch now, and on May 20 promptly apply the security update within the announced window. For sites on Drupal 8 and 9, it is critical not to rely solely on the emergency patch, but to begin planning a full migration to Drupal 10.6 or newer—only this will provide protection against the accumulated security-related technical debt.