Upcoming Drupal security release (PSA-2026-05-18) — May 20, 17:00 - 21:00 UTC

Update timeline

1. identified May 19, 2026, 02:09 AM UTC

   Drupal has announced an upcoming highly critical Drupal core security release affecting Drupal 10 and 11 (and EOL versions 8 and 9). Customer impact - Prepare now: Update to the latest patch release on your current supported Drupal version ahead of time to reduce time-to-patch. - Schedule a maintenance window: May 20, 17:00 - 21:00 UTC. Customers should be prepared to apply the security update immediately once released. - EOL Drupal versions: Drupal 8.9 and 9.5 will receive patch files only (temporary mitigation). Plan an urgent upgrade to a supported version. Drupal 7 is not affected. What we're doing We're treating this as a priority security event and preparing WAF/CDN mitigations ("virtual patches") where possible. These may provide partial/temporary protection; applying the upstream Drupal security update remains the primary mitigation. We’ll share updates here as more information becomes available. For more information, see the Drupal PSA: https://www.drupal.org/psa-2026-05-18

2. monitoring May 20, 2026, 07:26 PM UTC

   We’ve reviewed today’s Drupal-related release and do not currently anticipate any required changes to customer environments. Based on our assessment, overall exposure appears limited, and we will continue monitoring the situation closely. We’ll provide additional updates if conditions change or further action becomes necessary.