Drupal 2026.1 Release Notes
Overview
Drupal 2026.1 is a scheduled platform release focusing on performance, security hardening, editorial usability, and developer experience. This document summarizes notable changes, upgrade guidance, and any known considerations to ensure a smooth rollout.
Release Highlights
- Security hardening across authentication, caching, and input sanitization
- Performance improvements for render cache and entity queries
- Editorial enhancements in Media, Layout Builder, and CKEditor 5
- Developer experience updates: Composer constraints, PHP compatibility, and configuration reliability
What’s New
Security and Compliance
- Hardened session cookie attributes to enforce Secure, HttpOnly, and SameSite=Lax by default
- Refined input sanitization in text formats
- CSRF token validation is now logged at a higher granularity for security audit trails
Performance
- Render cache hit-rate increases via more granular cache contexts on authenticated routes
- Entity query optimizations reduce query time on high-cardinality fields
- BigPipe tuning for faster perceived load on content-heavy pages
- Aggregate and minify pipeline updated for better CDN cacheability
Fixed Issues
The following representative issues were addressed in Drupal 2026.1. Project-specific trackers may include additional items.
- Resolved cache invalidation edge cases when updating taxonomy terms referenced in multiple view modes
- Fixed double-encoding in JSON:API responses for deeply nested entity references
- Corrected access checks for revision previews in custom workflows
- Eliminated duplicate cron queue runners on multi-instance deployments
- Addressed PHP 8.3 deprecation warnings in contributed modules shim layer