Drupal Releases Emergency Security Update

Last Updated: 02/21/2019

Security Notice Level


Drupal has released an emergency update to address a vulnerability that may allow remote code execution. The IT Security Office recommends upgrading as soon as possible if one of the following conditions is met:

  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
  • the site has another web services module enabled (like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7).


  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
  • Be sure to install any available security updates for contributed projects after updating Drupal core.
  • No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates. [1]

Additional Information

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Additional information about this vulnerability can be viewed at: https://www.drupal.org/sa-core-2019-003 [1]

If you have any questions, please contact the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or help@colorado.edu.  IT Service Center Hours:  https://oit.colorado.edu/support/it-service-center.