Drupal 6, 7 and 8 Patches Address Highly Critical Security Vulnerability February 20, 2019 13:00 PT

Drupal has released security updates of 8.5.x, and 8.6.x, along with some updates to contributed modules for 7.x/8.x, to fix a highly critical security vulnerability.  At least one Drupal 6.x contributed module patch is also available.

A site is only affected by this if one of the following conditions is met:

  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
  • The site has another web services module enabled (like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7).

If you are the owner or administrator of an affected Drupal website, please implement these updates immediately. If you cannot patch your affected site, it is recommended that you take it offline and contact security@ubc.ca for assistance.

Security Risk: Highly Critical


Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Drupal websites hosted by UBCIT Web Services

If your Drupal website is hosted by UBC IT Web Services, patches for affected systems running Drupal 8 and Drupal 7 are currently being applied and should be completed by 2:30pm today.

Drupal websites hosted on UBCIT Shared Web Hosting

If your Drupal website is hosted on UBC IT Shared Web Hosting, you are responsible for patching your Drupal install.

Additional Information


If you have any questions or require any assistance to patch or secure your sites, please email security@ubc.ca.