Drupal Security Team Schedules Highly Critical Core Security Release for 20 May 2026
Drupal core security updates addressing a highly critical vulnerability will be released on 20 May 2026 between 17:00 and 21:00 UTC, with the Drupal Security Team warning that working exploits could emerge shortly after public disclosure.
The advance advisory, identified as PSA-2026-05-18, assigns the issue a “highly critical” severity rating of 20 out of 25 using Drupal’s published security scoring model. While specific technical details remain embargoed, the score reflects multiple risk dimensions, including access complexity, authentication requirements, confidentiality impact, integrity impact, exploit availability, and target distribution. According to the advisory’s published matrix, the vulnerability carries an Access Complexity rating of "None" and requires "None" for Authentication, meaning exploitation does not depend on privileged access or prior authentication. The potential impact is rated at maximum severity for both Confidentiality and Integrity, indicating that non-public data could be accessed and system data could be modified or deleted.
The score remains at 20 rather than a maximum 25 because the Security Team currently classifies the Exploit vector as "Theoretical" (no public exploit code or documentation exists yet) and the Target Distribution as "Uncommon," meaning the vulnerability is only exploitable under specific configuration conditions. However, the Security Team noted that once the patch is published, public exploit code could emerge within hours or days, making local evaluation essential.
Organisations have been strongly urged to reserve emergency maintenance windows during the release period. Rather than an automatic update cycle, administrators should use this time to evaluate their specific technical configurations against the mitigation data in the forthcoming advisory to determine whether their environments are affected.
The announcement is unusual because the Drupal Security Team is extending support beyond its normal maintenance boundaries. Under normal operating protocols, security coverage is strictly limited to active minor branches. Because of the potential severity of this issue, the team is backporting fixes to several unsupported minor and major releases to provide legacy environments an emergency window for evaluation and mitigation.
Official security updates will be provided for all currently supported core branches, which include Drupal 11.3.x, 11.2.x, 10.6.x, and 10.5.x. To minimise operational friction during the critical security window, administrators are advised to update their sites to the latest patch release within their current branch immediately.
For environments running unsupported minor branches of Drupal 10 and 11, the Security Team will provide target fixes exclusively for this vulnerability. Sites currently running Drupal 11.1 or 11.0 are instructed to update to at least version 11.1.9 in advance of the window. Similarly, deployments on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least 10.4.9. These interim releases are designed strictly to let administrators safely apply the security fix before planning a broader migration to Drupal 11.3 or 10.6. The team noted that previous advisories, including SA-CORE-2026-001 and SA-CORE-2026-002, will not be backported to these unsupported branches.
As an uncommon support measure, manual patch files will also be made available for Drupal 8 and Drupal 9, major versions that are fully end-of-life, due to the issue’s potential severity. To ensure these best-effort patches apply successfully, administrators must upgrade legacy sites to Drupal 8.9.20 or 9.5.11 before attempting to apply them. The advisory explicitly warns that these legacy patches offer no guarantees of compatibility or stability, are not thoroughly vetted for regressions, and might introduce unexpected secondary bugs. Long-term migration to a supported release remains strongly recommended, as older major versions contain numerous previously disclosed vulnerabilities that remain unpatched.
According to the advisory, Drupal 7 is not affected by this vulnerability.
Organisations using Drupal Steward—Drupal’s web application firewall mitigation service—will receive immediate protection against known variations of the attack vector at the time of release. However, the Security Team emphasises that Steward coverage does not negate the need for a code update, in case additional attack vectors are discovered.
All technical specifics regarding the underlying vulnerability remain embargoed until the official advisory publication on 20 May 2026. The security advisory will be published through the Drupal.org security advisory page and official communication channels, including Bluesky, Mastodon, LinkedIn, X, and the dedicated Drupal security mailing list.
The Drupal Security Team periodically publishes advance public service announcements for vulnerabilities considered severe enough to require emergency maintenance planning across enterprise, government, and high-traffic Drupal deployments.
More information and official advisories are available through the Drupal security advisory page.
