**Drupal** has announced an upcoming "core security release" affecting all supported branches, scheduled for May 20, 2026, between 5-9 p.m. UTC. The **Drupal Security Team** is strongly advising administrators to reserve time for core updates during this window, citing the potential for rapid exploitation following the release. > "The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days," the maintainers stated. It's recommended to update to the latest supported patch for your site's **Drupal** version before the deadline to address any pre-existing upgrade issues. ### Affected Versions Patches will be available for the following supported branches of **Drupal** core: * 11.3.x * 11.2.x * 10.6.x * 10.5.x Sites running these versions should update to the latest patch release for their respective branch immediately to prepare for the security window. ### Mitigation Steps for Older Versions While the specific vulnerability remains under wraps, **Drupal** is providing 11.1.x and 10.4.x releases for sites running end-of-life minor core versions, indicating a potentially critical flaw. Recommendations for older versions: * Sites on **Drupal** 11.1 or 11.0 should update to at least **Drupal** 11.1.9. * Sites on **Drupal** 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least **Drupal** 10.4.9. The suggested approach is to apply the security update as soon as it's released on May 20, followed by an upgrade to **Drupal** 11.3 or 10.6 in the near future. ### End-of-Life Versions: Proceed with Caution For sites still operating on end-of-life major core versions like **Drupal** 8 and 9, manual patch files for **Drupal** 8.9 and 9.5 will be required. However, **Drupal** cautions that these fixes are not guaranteed to function correctly and may introduce new issues or regressions. > "However, they may help mitigate the vulnerability for sites still on these old major versions until they upgrade to a supported release," **Drupal** stated. Upgrading to at least **Drupal** 10.6 is strongly recommended for **Drupal** 8 and 9 sites to address numerous previously disclosed security vulnerabilities that will not be fixed by either **Drupal Steward** or the best-effort patch files. ### Drupal 7 Not Affected **Drupal** 7 is not affected by this particular issue. Sites on any version of **Drupal** 9 are advised to update to 9.5.11, and those on any version of **Drupal** 8 should update to **Drupal** 8.9.20.