Critical access-bypass patched in Drupal core

On 30 May 2026, the Drupal Security Team published SA-CORE-2026-008, a critical advisory covering an unauthenticated access bypass affecting all Drupal 10.3, 10.4 and 11.1 sites. The vulnerability allows an attacker to bypass access controls and retrieve unpublished content or, under specific configurations, perform limited privilege escalation without authentication.

All managed clients on our Drupal support retainer were patched before the advisory became public, inside the Drupal Security Team's coordinated disclosure window. We monitor the private SA list and maintain patching runbooks for every supported Drupal version.

What is the vulnerability?

The flaw sits in Drupal's core access-checking logic. Under certain combinations of contributed modules and role configuration, the access result cache can be poisoned with an overly permissive value. Subsequent requests — including anonymous ones — can inherit that cached permission, bypassing intended access restrictions.

The Drupal Security Team rates this Critical (score: 20/25). Exploitability requires no authentication and no prior knowledge of the site beyond its URL. A proof-of-concept was privately shared during the disclosure window; at the time of writing it has not appeared in the wild, but we expect scanning activity to increase rapidly now the advisory is public.

Affected versions

• Drupal 10.3.x — patch to 10.3.14
• Drupal 10.4.x — patch to 10.4.6
• Drupal 11.1.x — patch to 11.1.4
• Drupal 7, 9 and 10.2 are not affected (different access pipeline)
• Drupal 10.1 and 10.2 are end-of-life and will not receive patches

What you should do right now

If you are on a WebsiteSupport.io managed Drupal retainer: nothing — you are already patched. If you manage your own Drupal instance, update immediately. Do not wait for a maintenance window; the risk of a delay outweighs any disruption from an out-of-cycle update.

• Run composer update drupal/core-recommended and verify the version
• Clear all caches after updating
• Review your site's access log for anomalous anonymous requests to node and entity endpoints
• If you cannot update immediately, disable the affected module combinations listed in the advisory as a temporary mitigation

How we handled this for managed clients

We received advance notification through the Drupal Security Advisory programme on 27 May. By 28 May we had tested the patches across our staging infrastructure and confirmed no regressions on the most common module combinations. Patches were applied to all managed production sites on 29 May, the day before the public advisory — and well inside our Critical SLA of same-business-day patching.

Every managed client received a notification email confirming the patch was applied, the version deployed and the output of our post-patch smoke tests. No client had to take any action.