Critical Drupal Core Flaw Exposes Websites to Cyberattack

A highly critical security vulnerability has been discovered in Drupal core, threatening websites worldwide. Its official security release is scheduled for May 20, 2026.

The vulnerability has been assigned a “Highly Critical” severity rating (20/25), indicating potential risks to confidentiality and integrity across affected systems.

While technical details remain undisclosed until the official release window, the advisory confirms that multiple supported Drupal core versions are impacted.

Drupal Core Security Vulnerability

The issue affects all currently supported Drupal core branches, including:

• Drupal 11.3. x and 11.2.x
• Drupal 10.6. x and 10.5.x

In an unusual move reflecting the severity of the flaw, Drupal is also releasing security patches for older, unsupported versions:

• Drupal 11.1. x and 10.4.x will receive limited security updates.
• Drupal 8.9. x and 9.5. x will receive manual patch files.

Drupal 7 is confirmed to be unaffected. Although not all configurations are vulnerable, administrators are strongly advised to assume potential exposure until confirmed otherwise.

The Drupal Security Team cautions that working exploits may be developed rapidly after disclosure.

This creates a narrow response window for defenders. Attackers often reverse-engineer patches to identify vulnerabilities, making delayed updates a major risk.

For example, a typical attack scenario could involve an unauthenticated attacker exploiting the flaw to manipulate site data or gain elevated access, depending on how the vulnerability manifests.

Organizations running Drupal sites should take immediate preparatory steps:

• Update to the latest available patch version before May 20.
• Reserve maintenance time during the release window (17:00–21:00 UTC).
• Apply the security update immediately upon release.
• Plan upgrades to supported versions such as Drupal 11.3 or 10.6.

For legacy systems:

• Drupal 11.0/11.1 → upgrade to at least 11.1.9.
• Drupal 10.0–10.4 → upgrade to at least 10.4.9.
• Drupal 9 → upgrade to 9.5.11 before applying patches.
• Drupal 8 → upgrade to 8.9.20 before applying patches.

Manual patches for Drupal 8 and 9 are not guaranteed to work and may introduce instability, but they provide temporary mitigation.

Sites using Drupal Steward already have protection against known attack vectors.

The Drupal Security Team has issued an advanced notice under advisory PSA-2026-05-18, warning that exploitation could occur within hours of public disclosure.

However, administrators are still advised to apply official patches promptly to defend against newly discovered exploitation techniques.

Full technical details will be disclosed on May 20 via Drupal’s official security advisory page and communication channels, including email notifications and social media platforms.

Key members of the Drupal Security Team coordinate the response effort.

Given the potential impact, this vulnerability highlights the importance of proactive patch management and timely response.

Organizations relying on Drupal should treat this advisory with urgency to prevent possible compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.