SUMMARY
ISO is aware of an upcoming critical security update that affects Drupal core. The Drupal Security Team has issued a heads-up (PSA-2026-05-18) about a highly critical security update coming out for Drupal core[1].
For a security flaw within the core architecture of Drupal which does not require authentication and could allow attackers to potentially build exploits.
Mark your calendars for Wednesday, May 20, 2026 between 10:00 am to 2:00pm PST. There is a possibility that the details will be released early and would require quick response from those affected. ISO will provide an update when the fix lands.
IMPACT
The impact of this vulnerability is as yet unknown. No details have been provided.
WHAT IS VULNERABLE
The vulnerability is within the core architecture of the Drupal content management system. There is a flaw that requires no authentication and could allow for attackers to reverse-engineer the patch and build exploits instantly. It impacts almost all versions of Drupal, including the following:
-
Affected versions: Drupal 11.3.x, 11.2.x, 10.6.x, and 10.5x.
-
The following End-of-Life (EOL) versions will also be patched: Drupal 8.9, 9.5, 10.4, 11.1
-
RECOMMENDATIONS
-
Patch up to your latest available bugfix version to prepare.
-
Apply the Security update once it becomes available.
MITIGATION
Mitigations will be provided on May 20th for those who are not able to update at this time.
REFERENCES
If you have any questions about the vulnerability or would like some assistance patching or mitigating it, please contact security@berkeley.edu