Pantheon release notes

Drupal has released a highly critical security update (CVSS 20/25) for Drupal core addressing SA-CORE-2026-004 (CVE-2026-9082). The vulnerability is a SQL injection flaw in Drupal's database abstraction API that only affects sites running on PostgreSQL. Drupal 7 is not affected.

No action is required to protect your Pantheon-hosted sites. Pantheon does not use PostgreSQL, so this vulnerability does not apply to sites hosted on Pantheon. Additionally, as a founding Platform Partner of the Drupal Steward program, Pantheon worked with the Drupal Security Team to implement platform-level mitigations prior to public disclosure.

Recommended update

We still recommend updating to the latest Drupal core patch release to keep your codebase aligned with upstream supported branches.

Patched releases for supported branches:

• Drupal 11.3.10 and 11.2.12
• Drupal 10.6.9 and 10.5.10

Emergency patches are also available for end-of-life branches 11.1.x, 10.4.x, 9.5.x, and 8.9.x — see the security advisory for details.

To apply the update, use one-click core updates in the Pantheon dashboard.

Today Pantheon announces a removal schedule for Solr 3 on February 9, 2027 and Solr 8 on July 11, 2027. Solr 9 will reach General Availability on June 30, 2026 ahead of these removals.

After a Solr version is removed from the platform, sites using that version will no longer be able to index content or return search results. Views, blocks, or other components that rely on Solr-powered search indexes may return no results or throw errors.

Solr 9 - General Availability: June 30, 2026

Solr 9 has been available as a Beta for Drupal 10 and 11 sites through search_api_pantheon version 8.5.0-beta1. Solr 9 Beta for Drupal 7 is now available as of May 12, 2026.

General Availability for Solr 9 is targeted for June 30, 2026.

Solr 3 - Removal: February 9, 2027

Solr 3 will be removed from the Pantheon platform on February 9, 2027. Solr 3 is a legacy search version that no longer receives security updates.

Previous milestones:

• Solr 3 support for Drupal 9.4+ ended December 9, 2025
• WordPress Solr support ends January 11, 2027

Drupal 7 sites still using Solr 3 must migrate to Solr 9 before this date. See the Solr for Drupal 7 guide for upgrade steps. WordPress sites should migrate to Elasticsearch or another supported search solution before January 11, 2027.

Solr 8 - Removal: July 11, 2027

Solr 8 (8.11.4) will be removed from the platform on July 11, 2027. Solr 9 supersedes Solr 8 with improved security defaults and other enhancements. Drupal 10 and 11 sites currently running Solr 8 should migrate to Solr 9 before this date. Upgrade instructions are available in the Solr 9 Beta announcement.

Action required

• Drupal:

  • Solr 3 sites: Migrate to Solr 9 before February 9, 2027.
  • Solr 8 sites: Migrate to Solr 9 before July 11, 2027.

  For guidance on upgrading, see Drupal Solr.

• WordPress:

  • Migrate to Elasticsearch before January 11, 2027.

PHP versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6 are now available on the platform. These updates include important security fixes, along with bug fixes and enhancements that improve performance and stability. Updates will be applied automatically over the next few days, so no manual action is required.

As noted in our June 2025 release note, Drush 5 and 7 are no longer available on Pantheon, and pantheon.yml files retaining these retired values would eventually cause a git push to be rejected. That enforcement is now in effect.

Pantheon now rejects git push when drush_version is set to 5 or 7 in pantheon.yml. The supported values are 8, 9, and 10.

Validation runs whenever pantheon.yml changes are detected on push, including reverts. Sites with drush_version: 5 or 7 already committed are unaffected until the file is modified. A git revert or git reset that touches pantheon.yml will also trigger validation and be rejected if the retired values are present.

Action required

Customers with sites configured for Drush 5 or 7 should upgrade the Drush version in pantheon.yml to at least Drush 8:

Sites created with custom upstreams using these versions may also encounter errors on site creation or upstream updates if drush_version is still set to 5 or 7.

The latest version of WordPress, 6.9.4, is available on Pantheon as of today, March 11th, 2026.

This is a security release that addresses incomplete security fixes from the previous 6.9.2 and 6.9.3 releases. Three security vulnerabilities are fixed in this version:

• A PclZip path traversal issue
• An authorization bypass on the Notes feature
• An XXE (XML External Entity) vulnerability in the external getID3 library

Action required

Upgrade to WordPress 6.9.4 right from your Pantheon dashboard or Terminus to access the latest features, fixes, and security enhancements. See related documentation for how to apply core updates.

The latest version of WordPress, 6.9.3, is available on Pantheon as of yesterday, March 10th, 2026.

This version is an immediate follow up with fixes for bugs introduced in 6.9.2, which is a security release.

Action required

Upgrade to WordPress 6.9.3 right from your Pantheon dashboard or Terminus to access the latest features, fixes, and security enhancements. See related documentation for how to apply core updates.

Pantheon is announcing a PHP version removal schedule. The following PHP versions will be removed from the platform on September 30, 2026:

• PHP 5.6
• PHP 7.0
• PHP 7.1
• PHP 7.2 (End of Sale: May 1, 2026)
• PHP 7.3 (End of Sale: May 1, 2026)
• PHP 8.0 (End of Sale: May 1, 2026)

PHP 5.6, 7.0, and 7.1 are already end-of-sale. PHP 7.2, 7.3, and 8.0 will reach end-of-sale on May 1, 2026, meaning no new sites can be created with these versions after that date.

Additionally, PHP 8.1 will reach end-of-sale on September 30, 2026, with a removal date to be announced at least 9 months in advance.

What happens when a PHP version is removed?

Sites still running a removed PHP version will be automatically upgraded to the oldest available PHP version at the time of removal. If your site's software has not been updated for compatibility, this may result in broken functionality.

What to expect going forward

Pantheon will guarantee at least 9 months of advance notice before removing any PHP version from the platform. Refer to the PHP version lifecycle table for the latest schedule.

Action required

If your site is running PHP 5.6, 7.0, 7.1, 7.2, 7.3, or 8.0, upgrade to a recommended PHP version before September 30, 2026 to avoid disruption. We recommend PHP 8.3 or 8.4 for all production sites.

For guidance on upgrading, refer to Upgrade PHP Versions.

Teams using Pantheon's Secrets Manager to set variables like API tokens can now do so through the site dashboard. Previously this feature only had a command line user interface through a Terminus plugin. Secrets Manager works with WordPress, Drupal, and Next.js sites hosted on Pantheon. It does not work with the sunsetting Front-End Sites product.

Secrets Managers encrypts values at rest and then makes them available to your application's code as it runs. Secrets Manager is suitable for setting variables that are truly sensitive like a password, token, or key that allows Next.js to read from a back-end CMS as well as variables that might not be sensitive like a Google Tag Manager ID.

What's new?

• Create new site-owned secrets from the site dashboard
• Create new site-owned secrets in bulk from the site dashboard by either:
  • manually adding multiple keys at once of the same type and scope
  • or importing secrets from .env files (e.g., Next.js sites)
• Manage existing site-owned secrets from the site dashboard:
  • Edit default secret value and/or secret scope
  • Add/edit/delete environment overrides

For details, see related documentation.