Drupal Is Pushing an Emergency Security Update Tomorrow. If You Run a Drupal Site, This Is Not One to Miss.
Something significant is coming out of the Drupal project tomorrow, and the way the announcement is worded should be enough to get any site administrator’s attention.
The Drupal Security Team has confirmed it will release a core security update for all supported branches on May 20, between 5 and 9 p.m. UTC. The type of vulnerability has not been disclosed, standard practice before a coordinated release, but the language around it is unusually direct.
“The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days.” reads the advisory
“Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.
When maintainers of a project of this size use that kind of language, it means the underlying issue is serious enough that the window between patch release and active exploitation could be very short.
Drupal powers a significant portion of the web, government sites, universities, media organizations, enterprise portals. A critical flaw in the CMS core is the kind of thing that moves quickly once it becomes public, which is exactly why the team is asking administrators to block out time tomorrow rather than getting to it later in the week.
Patches will be available for the four currently supported branches: 11.3.x, 11.2.x, 10.6.x, and 10.5.x. If you are running any of these, the recommendation is to update to the latest patch release for your branch right now, before the security window opens, so that any pre-existing upgrade issues are out of the way and you can apply the security fix cleanly as soon as it drops.
For sites running end-of-life minor versions, Drupal is going a step further than usual by providing best-effort patch releases for 11.1.x and 10.4.x as well. Sites on Drupal 11.1 or 11.0 should move to at least 11.1.9 before tomorrow. Sites on any 10.4, 10.3, 10.2, 10.1, or 10.0 branch should be on at least 10.4.9. The idea is to get as close to a supported state as possible before the security update lands, then apply it immediately and plan a full upgrade to 11.3 or 10.6 shortly after.
However, experts warn that Drupal 8 and 9 are both end-of-life, and the project has been direct about the situation.
Manual patch files for Drupal 8.9 and 9.5 will be made available, and they may help reduce exposure, but there is no guarantee they will apply cleanly or that they will not introduce new problems in the process.
“We strongly recommend Drupal 8 or 9 sites update to at least Drupal 10.6 soon. Drupal 8 and 9 include numerous other, previously disclosed, security vulnerabilities that will not be addressed by either Drupal Steward or the best-effort patch files.” continues the advisory. “Drupal 7 is not affected.”
Sites on Drupal 8 should be on 8.9.20, and those on Drupal 9 should be on 9.5.11 before attempting to apply anything. But the honest advice here is that running either of these versions in 2026 means carrying a growing backlog of unpatched vulnerabilities that tomorrow’s release will not touch. The path forward is an upgrade to at least version 10.6, and the sooner the better.
Organizations should be prepared to deploy the upcoming security update as soon as it becomes available. Those still running older Drupal 8 or 9 installations should also treat this as a clear warning to plan upgrades quickly, since the security risks tied to unsupported or aging versions will continue to grow over time.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Emergency Security Update)
