Fwd: [Security-news] Upcoming highly critical release on May 20, 2026 - PSA-2026-05-18
8 views
Skip to first unread message
Joe Corall
May 18, 2026, 3:04:17 PM (2 days ago) May 18
to isla...@googlegroups.com
---------- Forwarded message ---------
From: <securi...@drupal.org>
Date: Mon, May 18, 2026, 2:52 PM
Subject: [Security-news] Upcoming highly critical release on May 20, 2026 - PSA-2026-05-18
To: <securi...@drupal.org>
From: <securi...@drupal.org>
Date: Mon, May 18, 2026, 2:52 PM
Subject: [Security-news] Upcoming highly critical release on May 20, 2026 - PSA-2026-05-18
To: <securi...@drupal.org>
View online: https://www.drupal.org/psa-2026-05-18
Date: 2026-May-18
Description:
There will be a *Drupal core security release for all supported branches on
May 20, 2026, between 17:00 and 21:00 UTC*. (To see this in your local
timezone, refer to the Drupal Core Calendar [1].) The Drupal Security Team
urges you to reserve time for core updates at that time because exploits
/might/ be developed within hours or days.
The risk is currently rated as:
Highly critical 20 ∕ 25
AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon.
Not all configurations are affected. Reserve time on May 20 during the
release window to determine whether your sites are affected and in need of an
immediate update. Mitigation information will be included in the advisory.
*We recommend updating to the latest supported patch (bugfix) release for
your site's version of Drupal before May 20*, so that you can address any
other upgrade issues before the security window. (Recommendations for
specific Drupal versions follow.)
This issue is being protected by Drupal Steward. Sites that use Drupal
Steward are already protected from known attack vectors, but should upgrade
in the near future in case additional attack vectors are discovered.
.... Affected versions
.. Supported core versions
Security releases will be provided for all the currently supported branches
of Drupal core, which are:
* 11.3.x
* 11.2.x
* 10.6.x
* 10.5.x
Sites on one of these supported versions should update to the latest patch
release for the given branch /now/ in preparation for the security window.
.. End-of-life minor core versions (Drupal 10 and 11)
While the Drupal Security Team does not normally provide security releases
for unsupported releases [2], given the severity of the issue, we /are/
providing 11.1.x and 10.4.x releases that include the fix for sites which
have not yet had a chance to update. Therefore, in advance of the window:
* Sites on Drupal 11.1 or 11.0 should update to at least Drupal 11.1.9 in
preparation for the window.
* Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least
Drupal 10.4.9 in preparation for the window.
These sites should apply the security update as soon as it is released on May
20, then plan to update to Drupal 11.3 or 10.6 in the near future. (Two other
recent security advisories, SA-CORE-2026-001 [3] and SA-CORE-2026-002 [4],
will /not/ be addressed for 11.1 or 10.4.)
.. End-of-life major core versions (Drupal 8 and 9)
These major versions are fully end-of-life, so no releases will be created
for these branches. However, given the potential severity of this issue, *we
will provide patch files for Drupal 8.9 and 9.5*.
These patches must be applied manually. They are /not/ guaranteed to work
correctly, and might introduce other bugs or regressions. However, they may
help mitigate the vulnerability for sites still on these old major versions
until they upgrade to a supported release.
For the best chance of the patches being applied successfully:
* Sites on any version of Drupal 9 should update to Drupal 9.5.11 in
preparation for the window.
* Sites on any version of Drupal 8 should update to Drupal 8.9.20 in
preparation for the window.
We strongly recommend Drupal 8 or 9 sites update to at least Drupal 10.6
soon. Drupal 8 and 9 include numerous other, previously disclosed security
vulnerabilities that will not be addressed by either Drupal Steward or the
best-effort patch files.
Drupal 7 is not affected.
.... Disclosure policy
Neither the Security Team nor any other party is able to release any more
information about this vulnerability until the announcement is made. The
announcement will be made public at https://www.drupal.org/security [5], on
Bluesky [6], Mastodon [7], X (formerly Twitter) [8], and LinkedIn [9], and in
email for those who have subscribed to our email list. To subscribe to the
email list: log in on Drupal.org, go to your user profile page and subscribe
to the security newsletter on the Edit » My newsletters tab.
Security release announcements will appear on the Drupal.org security
advisory page [10] which also has RSS feeds.
Coordinated By:
* Benji Fisher (benjifisher) [11] of the Drupal Security Team
* catch (catch) [12] of the Drupal Security Team
* cilefen (cilefen) [13] of the Drupal Security Team
* Damien McKenna (damienmckenna) [14] of the Drupal Security Team
* Neil Drumm (drumm) [15] of the Drupal Security Team
* Greg Knaddison (greggles) [16] of the Drupal Security Team
* Tim Hestenes Lehnen (hestenet) [17]
* Lee Rowlands (larowlan) [18] of the Drupal Security Team
* Dave Long (longwave) [19] of the Drupal Security Team
* Drew Webber (mcdruid) [20] of the Drupal Security Team
* Juraj Nemec (poker10) [21] of the Drupal Security Team
* Jess (xjm) [22] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [23]
[1]
https://calendar.google.com/calendar/r?cid=drupalcor...@association.drupal.org
[2] https://www.drupal.org/core/release-cycle-overview
[3] https://www.drupal.org/sa-core-2026-001
[4] https://www.drupal.org/sa-core-2026-002
[5] https://www.drupal.org/security
[6] https://bsky.app/profile/drupalsecurity.bsky.social
[7] https://drupal.community/@drupalsecurity
[8] https://x.com/drupalsecurity
[9] https://www.linkedin.com/showcase/drupal-security-team/
[10] https://www.drupal.org/security
[11] https://www.drupal.org/u/benjifisher
[12] https://www.drupal.org/u/catch
[13] https://www.drupal.org/u/cilefen
[14] https://www.drupal.org/u/damienmckenna
[15] https://www.drupal.org/u/drumm
[16] https://www.drupal.org/u/greggles
[17] https://www.drupal.org/u/hestenet
[18] https://www.drupal.org/u/larowlan
[19] https://www.drupal.org/u/longwave
[20] https://www.drupal.org/u/mcdruid
[21] https://www.drupal.org/u/poker10
[22] https://www.drupal.org/u/xjm
[23]
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3590745
_______________________________________________
Security-news mailing list -- securi...@drupal.org
To unsubscribe send an email to security-...@drupal.org
Unsubscribe at
Reply all
Reply to author
Forward
0 new messages