Drupal Warns of Urgent Core Security Patch for All Supported Branches on May 20
Drupal announced an urgent core security release for all supported branches on May 20, warning that exploits may be developed within hours or days of the patch.
The Drupal Security Team has issued an urgent alert that a core security release will be published on May 20, 2026, between 5-9 p.m. UTC. The advisory covers all currently supported branches of the PHP-based content management system, including versions 11.3.x, 11.2.x, 10.6.x, and 10.5.x. While specific CVE identifiers and technical details have not yet been disclosed, the team explicitly warned that exploits could be developed within hours or days of the patch release, urging site administrators to reserve time for immediate updates.
The severity of the vulnerability is underscored by Drupal's decision to provide patches for end-of-life minor core versions—11.1.x and 10.4.x—which normally do not receive security updates. Sites running Drupal 11.1 or 11.0 must update to at least Drupal 11.1.9, and those on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 must update to at least Drupal 10.4.9 before the security window opens. This ensures that administrators can apply the security patch as soon as it is released, with a recommendation to upgrade to Drupal 11.3 or 10.6 in the near future.
For organizations still running end-of-life major core versions such as Drupal 8 and 9, the Drupal Security Team will provide manual patch files for Drupal 8.9 and 9.5. However, the team cautioned that these best-effort patches may not work correctly and could introduce regressions or other issues. "We strongly recommend Drupal 8 or 9 sites update to at least Drupal 10.6 soon," the advisory stated, noting that older versions contain numerous previously disclosed vulnerabilities that will not be addressed by either Drupal Steward or the patch files.
Importantly, Drupal 7 is not affected by the issue. Sites on any version of Drupal 9 are advised to update to 9.5.11, and those on Drupal 8 should update to Drupal 8.9.20. The maintainers emphasized that not all configurations are affected, and mitigation information will be included in the advisory released during the update window. Administrators are urged to determine whether their sites are affected and in need of an immediate update.
The pre-announcement follows a pattern seen in other major open-source projects, where advance warning is given for critical vulnerabilities to allow administrators to prepare. Drupal powers millions of websites worldwide, including those of governments, universities, and large enterprises, making any unpatched critical vulnerability a prime target for attackers. The Drupal Security Team's warning that exploits may be developed within hours or days highlights the urgency of the situation.
This incident also reflects a broader trend in web security: content management systems remain a frequent attack vector due to their widespread deployment and the complexity of maintaining secure configurations. Organizations using Drupal should prioritize the May 20 update window and ensure that their sites are running supported versions to receive timely patches. The Drupal Security Team has not yet disclosed whether the vulnerability is being actively exploited in the wild, but the pre-emptive warning suggests a high level of concern.