Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare
Source: The Hacker News
Release Details
Drupal has issued an alert that a core security release will be deployed for all supported branches on May 20 2026, between 5 – 9 p.m. UTC.
“The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” the maintainers of the PHP‑based content management system said.
“Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.”
It is recommended to update to the latest supported patch for your site’s version of Drupal before the deadline so any outstanding upgrade issues can be addressed.
Affected Branches
Patches are expected for the following supported branches of Drupal core:
- 11.3.x
- 11.2.x
- 10.6.x
- 10.5.x
“Sites on one of these supported versions should update to the latest patch release for the given branch now in preparation for the security window,” Drupal said.
Update Recommendations
The exact nature of the security issue is not yet disclosed, but it is expected to be severe. Drupal is providing back‑ported releases for sites running end‑of‑life minor core versions.
- Drupal 11.1 or 11.0 → update to at least Drupal 11.1.9.
- Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 → update to at least Drupal 10.4.9.
The goal is for these sites to apply the security update as soon as it is released on May 20, then upgrade to Drupal 11.3 or 10.6 in the near future.
End‑of‑Life Versions
For sites still on end‑of‑life major core versions (Drupal 8 and 9), patch files for Drupal 8.9 and 9.5 will need to be applied manually. Drupal warns that these patches are best‑effort and may not work correctly, potentially introducing regressions.
“However, they may help mitigate the vulnerability for sites still on these old major versions until they upgrade to a supported release,” Drupal said.
Recommendations:
- Drupal 8 sites → update to Drupal 8.9.20.
- Drupal 9 sites → update to Drupal 9.5.11.
- Strongly recommend upgrading to at least Drupal 10.6 soon, as Drupal 8 and 9 contain numerous other disclosed security vulnerabilities that will not be addressed by the patches.
Drupal also noted that Drupal 7 is not affected by this issue.