Apply Updates for Drupal Core Security Release May 20, 2026

This message is intended for U-M IT staff who are responsible for university websites that use the Drupal content management system.

Summary

Drupal is releasing core security updates for all currently supported versions on May 20, 2026, between 12 pm and 6 pm EST. Update to the latest version as soon as possible after appropriate testing. Drupal is a web content management system.

Problem

Units that use the Drupal content management system need to apply security updates during the release window on May 20 for the latest currently supported version they are using to mitigate a highly critical security risk, because exploits might be developed within hours or days.

Threats

Units that use the Drupal content management system need to reserve time for core updates during the release window on May 20 because exploits might be developed within hours or days of the release. 

Affected Versions

Not all configurations are affected, therefore it is important to reserve time during the release window to determine whether sites are affected and in need of an immediate update. Mitigation information will be included in the Drupal advisory.

Security updates are available for these currently supported versions of Drupal:

  • 11.3.x
  • 11.2.x
  • 10.6.x
  • 10.5.x

End-of-life minor core versions (Drupal 10 and 11)

  • While the Drupal Security Team does not normally provide security releases for unsupported releases, given the severity of the issue, they are providing 11.1.x and 10.4.x releases that include the fix for sites that have not yet had a chance to update. Therefore, in advance of the window:
    • Sites on Drupal 11.1 or 11.0 should update to at least Drupal 11.1.9.
    • Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least Drupal 10.4.9.
  • These sites should apply the security update as soon as it is released on May 20, then plan to update to Drupal 11.3 or 10.6 in the near future. (Two other recent security advisories, SA-CORE-2026-001 and SA-CORE-2026-002, will not be addressed for 11.1 or 10.4.)

End-of-life major core versions (Drupal 8 and 9)

  • These major versions are fully end-of-life, so no releases will be created for these branches. However, given the potential severity of this issue, Drupal will provide patch files for Drupal 8.9 and 9.5. These patches must be applied manually. They are not guaranteed to work correctly and might introduce other bugs or regressions. However, they may help mitigate the vulnerability for sites still on these old major versions until they upgrade to a supported release.
  • For the best chance of the patches being applied successfully:
    • Sites on any version of Drupal 9 should update to Drupal 9.5.11.
    • Sites on any version of Drupal 8 should update to Drupal 8.9.20.
  • Drupal strongly recommends that sites running 8 or 9 update soon to at least Drupal 10.6. Drupal 8 and 9 include numerous other, previously disclosed, security vulnerabilities that will not be addressed by either Drupal Steward or the best-effort patch files.

Drupal 7 is not affected.

Action Items

Before May 20:

It is recommended that units update to the latest supported patch (bugfix) release for your site's version of Drupal before May 20, so that you can address any other upgrade issues before the security window.

During the Release Window on May 20:

  1. Determine whether sites are affected and in need of an immediate update.
  2. Update to the latest currently supported version as soon as possible after appropriate testing. Currently supported versions are: 11.3.x, 11.2.x, 10.6.x, 10.5.x. See the Affected Versions section above for information regarding end-of-life versions.

Note: This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected from known attack vectors, but should upgrade in the near future in case additional attack vectors are discovered.

How We Protect U-M

ITS Information Assurance is working with ITS staff who manage systems running Drupal and notifying others across the university to ensure the updates are applied in a timely manner.

Information for Users

Drupal is a content management system used to manage website content. Administrators of systems running Drupal need to apply the update. Content managers and website users do not need to do anything.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.