We’ve reviewed today’s Drupal-related release and do not currently anticipate deploying WAF/CDN mitigations ("virtual patches"). Based on our assessment, overall exposure appears more limited than initial thoughts. Customers should review the security release notes to determine their potential impact and update as soon as practical: https://www.drupal.org/sa-core-2026-004.
We will continue monitoring the situation and provide updates necessary.
Posted May 20, 2026 - 19:26 UTC
Identified
Drupal has announced an upcoming highly critical Drupal core security release affecting Drupal 10 and 11 (and EOL versions 8 and 9).
Customer impact
- Prepare now: Update to the latest patch release on your current supported Drupal version ahead of time to reduce time-to-patch. - Schedule a maintenance window: May 20, 17:00 - 21:00 UTC. Customers should be prepared to apply the security update immediately once released. - EOL Drupal versions: Drupal 8.9 and 9.5 will receive patch files only (temporary mitigation). Plan an urgent upgrade to a supported version. Drupal 7 is not affected.
What we're doing
We're treating this as a priority security event and preparing WAF/CDN mitigations ("virtual patches") where possible. These may provide partial/temporary protection; applying the upstream Drupal security update remains the primary mitigation. We’ll share updates here as more information becomes available.