Planet Drupal

The Rules Have Changed: Security in the Age of AI-Assisted Attacks John Locke Mon, 05/18/2026 - 19:00 Security is getting dramatically harder and more expensive. AI is simultaneously driving an explosion in vulnerability discovery and weaponizing the exploits that follow.

Read more

Join us THURSDAY, May 21 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits. Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google document at https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone.

Information on joining the meeting can be found in our collaborative Google document.

Build a custom AI agent in Drupal Canvas to score news article engagement and suggest readability improvements.

Date: 2026-May-18Description: 

There will be a Drupal core security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. (To see this in your local timezone, refer to the Drupal Core Calendar.) The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days.

The risk is currently rated as:
Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon.

Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.

We recommend updating to the latest supported patch (bugfix) release for your site's version of Drupal before May 20, so that you can address any other upgrade issues before the security window. (Recommendations for specific Drupal versions follow.)

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected from known attack vectors, but should upgrade in the near future in case additional attack vectors are discovered.

Affected versions

Supported core versions

Security releases will be provided for all the currently supported branches of Drupal core, which are:

• 11.3.x
• 11.2.x
• 10.6.x
• 10.5.x

Sites on one of these supported versions should update to the latest patch release for the given branch now in preparation for the security window.

Read more

Today we are talking about The Open Web, What it means, and Why it's important with guest Alex Moreno. We'll also cover AI Schema.org JSON-LD as our module of the week.

For show notes visit: https://www.talkingDrupal.com/553

Read more

Among last week’s more closely watched Drupal business developments was a new initiative from Acquia that directs 2% of eligible partner-driven transactions to the Drupal Association. The contribution is built into Acquia’s updated partner programme and funded by the company itself, meaning partner incentives and customer pricing remain unchanged.

What drew attention across the community was not simply the contribution percentage, but the way the programme has been structured. Drupal funding conversations have often returned to the same pressure points around sponsorship cycles, institutional support, and long-term maintenance responsibilities. Acquia’s framing moves that discussion toward routine commercial activity rather than a separate community-facing commitment.

Both James Sims and Dries Buytaert described the initiative in terms of continuity and alignment rather than philanthropy. Their comments pointed to the same underlying argument: if commercial Drupal activity continues to scale, support structures around the project may also need models that scale more predictably alongside it.

Whether similar approaches emerge elsewhere remains uncertain. For years, much of Drupal’s organisational support has depended on periodic sponsorships and voluntary reinvestment. Acquia’s model, in contrast, ties funding directly to ongoing commercial activity, introducing a level of predictability that community funding discussions have often lacked.

Read more

Enterprise Drupal projects increasingly intersect with automation systems, cloud infrastructure, decoupled frontend development, and AI-assisted workflows as Drupal 11 adoption continues across larger platforms. Ongoing community discussions and architectural shifts around modern PHP, API-driven systems, and platform engineering also continue to expand the technical scope of Drupal development work.

The Architecture That Changed the Game: Modeler API Jürgen Haas Mon 18 May 2026 - 12:10

The Modeler API completes the architectural separation between model owners (systems like ECA and Migrate) and modelers (visual UIs like BPMN.iO and Workflow Modeler). Module maintainers can now offer visual configuration without building custom UIs. The API automatically provides routing, permissions, save orchestration, import/export, testing, and Drush commands. This is infrastructure that compounds: 4 model owners × 3 modelers = 12 working combinations with zero glue code. Each new model owner makes every modeler more valuable, and vice versa. Designed at DrupalCon Atlanta in early 2025 and developed in the following months, the Modeler API positions Drupal ahead of competitors with architecture for visual configuration of any complex system.

TL;DR This 30-minute video shows DDEV from zero to everything on a completely blank new MacBook Neo (exactly the same on any macOS device.)

Using Windows or Linux? See DDEV on Windows in 10 Minutes, DDEV on WSL2 from Scratch, or DDEV on Linux in 10 Minutes.

DDEV is a local development environment based on Docker containers that gets you up and working on your project fast. When you’re ready for additional configuration and customization, you won’t be starting from scratch and can lean on the expertise of the DDEV community.

In this screencast we walk through installing Homebrew, setting up OrbStack as a Docker provider, installing DDEV, and getting started with a basic project — all on a brand-new MacBook Neo with only 8GB of RAM. We use a Composer-managed Drupal 11 project as an example, and also cover setting up Xdebug with both PhpStorm and VS Code. The presentation slides are also available.

Read more

I saw two thoughtful posts in my LinkedIn feed over the last week that I wanted to reshare here before the LinkedIn feed buried them. Both were spot on, honest, and deserve a longer shelf life.

The first was from Hynek Naceradsky:

I'm pissed.

Not at Drupal. At the people confidently hating on it without ever having understood what it actually does.

"Drupal is outdated." "Drupal is too complex." "Nobody uses Drupal anymore."

Tell that to the EU institutions, governments, universities, and enterprises quietly running mission-critical platforms on it.

Here is what actually gets me though: the Drupal community lets this narrative win.

I am guilty of this too.

We literally have thousands of contributed modules, maintained for free, by people who owe you absolutely nothing. The security team responds faster than most paid vendors. The community has been showing up for 20+ years.

And yet we're somehow losing the PR war to frameworks that can't handle a proper content workflow without three paid plugins and a prayer.

Drupal people: talk louder. Write the posts. Go to the meetups. Tell the stories, fight for Drupal.

Because the Drupal community is honestly the best thing in Open Source, and both it and Drupal deserve way better than silence.

The second was from Thomas Scola, writing from a Drupal AI event in New York (lightly trimmed):

Read more

I recently gave a talk at DrupalSouth Wellington 2026 covering something a lot of us in the Drupal community have been wrestling with: has the past couple of years been a market correction or something more fundamental? And more importantly - how can Drupal remain competitive in a CMS market that's changing quickly?

by Owen Lansbury / 17 May 2026The downturn was real - and it was a global phenomenon

When I last spoke at DrupalCon Singapore I was very confident about PreviousNext's position after 15 years of stability. What followed was our business contracting through 2025 as clients reduced budgets, so it’s been a tough couple of years for many digital agencies.

But here's what gave me some comfort: we're not alone. Global digital holding companies like WPP, Publicis Groupe have seen their businesses shrink by around 30% and their share prices have seen corresponding falls. These aren't small Drupal shops. They employ thousands of developers across dozens of countries. The downturn has been a global phenomenon.

The single biggest reason is now clear. During COVID, organisations pulled forward years of digital transformation budgets to move services online quickly. By 2025, that spend had run dry. Enterprise marketing budgets generally halved and new projects froze. The good news, as of early 2026, is that the freeze is starting to thaw - projects that were put on hold still need to be completed.

Read more

Over half of all web traffic in 2024 was automated. That is the headline number from the Imperva 2025 Bad Bot Report, and it is the first time bots have outnumbered humans in more than a decade. Drupal sites sit squarely in that traffic mix, and the old defensive playbook — block an IP, ban a user agent, drop a robots.txt entry, lean on Fail2ban — does not hold up anymore.

This is the companion post to my DrupalSouth Wellington 2026 talk, Bots, scrapers, and proxies: defending Drupal sites in an automated internet. The talk walked through the defences I actually use at amazee.io and recommend on client sites. The post covers the same ground, with a bit more room to show config and link out to the projects.

What actually changed

The technical context underneath bot defence has shifted in three ways that matter:

Read more

Mark your calendars. MidCamp is returning April 27-29, 2027! 

We are excited to officially announce the dates for the next MidCamp, the Midwest's community-driven event for designers, developers, strategists, content creators, marketers, project managers, and open source enthusiasts.

After another incredible year of learning, collaboration, and community, we are already looking ahead to what comes next. And yes, as announced during closing remarks, MidCamp will be returning to DePaul next year just in time for Norah Schrum's birthday, which feels like the perfect excuse to gather this community again. MidCamp 2027 will once again bring together people from across Chicago, the Midwest, and beyond for several days of connection, practical learning, hallway conversations, contribution, and the kind of idea-sharing that keeps open source communities thriving.

Whether you are a longtime MidCamp regular or considering your first trip, MidCamp is built to be welcoming, approachable, and full of opportunities to learn from one another.

What to expect as planning gets underway:

Read more

Apex AI 2.0 introduces a provider orchestration layer for Drupal’s AI ecosystem, adding routing, observability, audit logging, and governance controls to deployments built on the Drupal AI module. The release supports nine AI providers and more than 24 models, and introduces middleware pipelines, GDPR-related tooling, MCP integration, and operational monitoring features for organisations managing AI-assisted workflows in Drupal.

Today Acquia announced something I'm really proud of. We're calling it the Acquia Fair Trade Initiative.

When an Acquia partner closes a deal, 2% of that deal flows directly to the Drupal Association, credited in the partner's name, to fund Drupal's infrastructure and long-term growth.

Imagine an Acquia partner closes a $100,000 Drupal deal with Acquia. $2,000 goes to the Drupal Association, attributed to that partner. The 2% comes from Acquia, not from partner margins, so the partner keeps their full revenue and incentives.

The donation is publicly attributed in the Acquia Partner Portal and counts toward the partner's standing in the Drupal Association's Certified Partner Program. It is recognized as financial support for the Drupal Association, separate from non-financial contributions like code, case studies, or community participation.

Most of all, I like that this program is structural. It is not a one-time gift or sponsorship campaign. It is built into the economics of Acquia's partner program, so Drupal's funding grows automatically as Acquia and its partners grow.

Too often, funding for Open Source projects depends on periodic fundraising or individual goodwill. That can work, but it rarely scales in a predictable way.

Read more

The DropTimes invites wider participation from across the Drupal ecosystem through an upcoming Townhall focused on project updates, community initiatives and ecosystem discussions. The session will create space for contributors, agencies, developers and community members to present ongoing work, exchange feedback and discuss outreach and collaboration efforts across Drupal.

Drupal AI Summit NYC will take place on 14 May 2026 at Convene on Madison Avenue in New York City, bringing together Drupal contributors, enterprise platform teams, digital strategists and AI practitioners for a day centred on the operational use of artificial intelligence inside Drupal ecosystems. Sessions throughout the event will examine governance, migrations, workflow integration, structured content systems and digital sovereignty, with speakers focusing on implementation challenges already emerging in production environments rather than speculative AI adoption.

Dominique De Cooman @ Drupal Iberia: How the Drupal AI Initiative transforms Drupal into an advanced infrastructure layer for an AI-powered high-value open web.

The Drupal and open-source communities are mourning the passing of Alanna Burke, a longtime advocate, writer, and community leader known for her work in documentation, diversity initiatives, and developer advocacy. Burke contributed to organisations and community efforts including amazee.io, Drupal Diversity and Inclusion, DrupalCon North America, and Meta’s open-source AI documentation initiatives.

Discover how the Drupal AI Initiative is revolutionizing open-source marketing. Learn how 31 companies and a global team of specialists are scaling Drupal’s AI roadmap and driving enterprise adoption through radical collaboration.