Drupal Warns of Highly Critical Flaw — Patches Due Today

Drupal is releasing security patches for a highly critical vulnerability today, May 20, 2026, between 5:00 PM and 9:00 PM UTC. The pre-announcement advisory PSA-2026-05-18 rates the flaw at 20 out of 25 on Drupal's severity scale and warns that exploits could emerge within hours of disclosure.

The Drupal Security Team's message is unambiguous: block time on your calendar to patch today.

What We Know

Drupal is withholding technical details until the patch release, but the advisory reveals enough to understand the threat:

• Severity: 20/25 (Highly Critical)
• Access Complexity: None — exploitation doesn't require special conditions
• Authentication: None — attackers don't need to be logged in
• Not all configurations affected — but you won't know if yours is until you see the patch

The combination of no authentication requirement and no access complexity typically indicates a remotely exploitable vulnerability that works against default installations. That's the worst-case scenario for internet-facing CMS deployments.

Affected Versions

Patches will be available for:

• Drupal 11.3.x, 11.2.x
• Drupal 10.6.x, 10.5.x

End-of-life versions 11.1.x and 10.4.x will receive patches on May 20, but organizations running these should upgrade to supported branches soon after applying the emergency fix.

Drupal 7 is not affected by this vulnerability.

Why the Urgency

Drupal powers approximately 2.3% of websites using known CMS platforms, including government portals, universities, and enterprise sites. Previous Drupal critical vulnerabilities have been weaponized rapidly:

• Drupalgeddon (2014): Exploits appeared within hours
• Drupalgeddon 2 (2018): Mass exploitation began within days

When Drupal issues pre-announcement advisories at this severity level, it signals genuine concern about exploitation timelines. The security team explicitly states that "exploits might be developed within hours or days."

What Administrators Should Do

Before the release window (now through 5 PM UTC):

1. Inventory all Drupal installations in your environment
2. Ensure you're running the latest patch for your current branch
3. Test your update procedures in staging if possible
4. Schedule maintenance windows for production updates

During the release window (5-9 PM UTC):

1. Read the security advisory when published
2. Determine if your configuration is affected
3. Apply patches immediately for affected sites
4. Verify functionality after updates

For end-of-life installations:

• Drupal 11.1/11.0: Update to at least 11.1.9 before applying the security patch
• Drupal 10.4-10.0: Update to at least 10.4.9 before applying the security patch

Monitoring for Exploitation

Once details are public, watch for:

• Unusual traffic patterns to Drupal endpoints
• Web application firewall alerts
• Error log entries suggesting exploitation attempts
• Unexpected file modifications

Organizations running web application firewalls should monitor for virtual patch availability from their vendors—many WAF providers push detection rules for high-profile CMS vulnerabilities within hours.

The Pre-Announcement Model

Drupal's pre-announcement approach gives administrators lead time to prepare, but it also alerts attackers that something significant is coming. This creates a race condition between defenders patching and attackers reverse-engineering fixes to develop exploits.

That race typically favors attackers against organizations with slow patch cycles. The Verizon DBIR 2026 released yesterday found that median patching time has increased to 43 days—far too slow when exploits emerge in hours.

If you run Drupal, today's patch window isn't optional. The vulnerability's severity, combined with the zero-authentication attack surface, makes this an immediate priority.

We'll update this article once Drupal publishes full technical details.