Drupal has announced an emergency core security release scheduled for today, May 20, 2026, between 17:00 and 21:00 UTC. The vulnerability affects Drupal core versions 8 and later. Because exploits are expected to be weaponized within hours of the disclosure, administrators should immediately schedule maintenance windows to apply the incoming patches.
Vulnerability Scope & Affected Versions
While specific configuration requirements haven’t been disclosed, the vulnerability exists in Drupal Core 8.x and later.
Official security updates will be provided for the following active and legacy branches:
Drupal 11: 11.3.x, 11.2.x, and 11.1.x (will be patched to 11.1.9)
Drupal 10: 10.6.x, 10.5.x, and 10.4.x (will be patched to 10.4.9)
End-of-Life (EOL) Exceptions
Due to the severity and high exploitation risk of this flaw, the Drupal Security Team is breaking standard protocol to provide hotfixes for EOL versions:
Drupal 9.5: Backported hotfix available for version 9.5.11.
Drupal 8.9: Backported hotfix available for version 8.9.20.
Note: Lower minor versions of Drupal 8 and 9 will not receive patches.
Mitigation & Immediate Actions
Schedule a Patch Window: Reserve time between 17:00 and 21:00 UTC today to pull the latest core updates.
Upgrade Legacy Instances: If your infrastructure is still running Drupal 8 or 9, plan a migration to at least Drupal 10.6.x immediately, as these EOL hotfixes are temporary safety nets.
Leverage WAF / WAF-like Protections: Environments utilizing Drupal Steward (the official distributed WAF / mitigation service) are already protected against known variants of this attack vector. However, updating core remains mandatory.
Operational Security Note
No technical details, CVE identifiers, or Proof-of-Concepts (PoCs) have been released. The security team warns that any technical details or mitigation scripts circulating on third-party channels prior to the official announcement are likely fraudulent or malicious. Monitor the official Drupal Security Portal exclusively for the release.
