Drupal warns of May 20 core security update

Drupal plans a coordinated core security release for all supported branches on May 20, 2026, between 5 and 9 p.m. UTC. The project urges site administrators to apply the latest patches and to set aside time during that window because exploits could appear within hours or days. The advisory reads: “The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.”

Maintainers recommend updating to the newest patch for each supported branch before May 20 so any upgrade issues can be resolved in advance. Patches are expected for core branches 11.3.x, 11.2.x, 10.6.x and 10.5.x. Sites on those branches should install the latest patch release now in preparation for the security window.

Sites on minor end-of-life core versions should move to recent interim releases so they can apply the security update immediately: Drupal 11.1 or 11.0 should update to at least 11.1.9; Drupal 10.4, 10.3, 10.2, 10.1 or 10.0 should update to at least 10.4.9. For installations running end-of-life major versions, maintainers will provide best-effort patch files for 8.9 and 9.5 that must be applied manually. Those patches are not guaranteed to work and could cause other issues or regressions, but may help mitigate the vulnerability until an upgrade is completed. The team recommends Drupal 8 or 9 sites move to at least Drupal 10.6 soon.

Drupal noted that version 7 is not affected by the issue. The project also advises sites on any version of Drupal 9 to update to 9.5.11 and sites on any version of Drupal 8 to update to 8.9.20 as interim protective steps.

Administrators are urged to test updates in staging environments and to have rollback plans in case patches cause unexpected behavior. Applying the latest patch for a supported branch before the scheduled release will give teams time to address compatibility or deployment problems and to respond promptly if the advisory requires immediate action.

Drupal routinely issues security advisories and occasionally coordinates release windows to address vulnerabilities across multiple branches. Detailed mitigation steps and the full advisory will be published during the May 20 release window.