Drupal has announced the release of a critical core security update for all supported branches of its content management system on May 20, 2026, between 5 p.m. and 9 p.m. UTC.
The project has not disclosed the details of the vulnerability but the maintainers have urged administrators to prepare for immediate updates as exploits could emerge within hours or days after disclosure.
The Drupal security team said not all site configurations are expected to be affected, but urged organizations to reserve maintenance time during the release window to assess whether their installations need urgent patching.
The upcoming patches will cover Drupal core branches 11.3.x, 11.2.x, 10.6.x, and 10.5.x. Site owners are recommended to upgrade to the latest supported patch versions before the release date in order to avoid deployment issues once the security fixes become available. Mitigation information will be included in the advisory.
Administrators running Drupal 11.1 or 11.0 are advised to upgrade to at least Drupal 11.1.9, while those using Drupal 10.4 or earlier 10.x releases should move to Drupal 10.4.9 ahead of the security release.
Drupal said sites on older major versions, including Drupal 8 and 9, will require manually applied patch files for versions 8.9 and 9.5. However, the project warned there is no guarantee the fixes will function correctly on unsupported releases and warned that applying them could introduce regressions or other operational issues.