Pantheon release notes

Drupal has released a highly critical security update (CVSS 20/25) for Drupal core addressing SA-CORE-2026-004 (CVE-2026-9082). The vulnerability is a SQL injection flaw in Drupal's database abstraction API that only affects sites running on PostgreSQL. Drupal 7 is not affected.

No action is required to protect your Pantheon-hosted sites. Pantheon does not use PostgreSQL, so this vulnerability does not apply to sites hosted on Pantheon. Additionally, as a founding Platform Partner of the Drupal Steward program, Pantheon worked with the Drupal Security Team to implement platform-level mitigations prior to public disclosure.

Recommended update

We still recommend updating to the latest Drupal core patch release to keep your codebase aligned with upstream supported branches.

Patched releases for supported branches:

• Drupal 11.3.10 and 11.2.12
• Drupal 10.6.9 and 10.5.10

Emergency patches are also available for end-of-life branches 11.1.x, 10.4.x, 9.5.x, and 8.9.x — see the security advisory for details.

To apply the update, use one-click core updates in the Pantheon dashboard.

Terminus 4.2.2 is now available. This release adds object cache and search visibility to site:info, upstream fields to site listing commands, and Node.js dependency update support.

Key improvements in this release

• Object Cache and Search status in site:info: site:info now shows whether Object Cache (Redis) is enabled and which search index (Elasticsearch, Solr, or both) is active (#2812)
• Upstream fields in site:list: site:list and org:site:list now support upstream and upstream_label as optional --fields values (#2835)
• Node.js dependency updates: upstream:updates commands now support Node.js sites for dependency management (#2828)
• EVCS site creation validation: Site creation for EVCS sites now uses server-side repo name validation for more accurate error messages (#2831)
• PHP 8.2 fix: Resolved deprecation warnings for dynamic property creation in the Site model (#2813)

How to upgrade to Terminus 4.2.2

If you use Homebrew (macOS-only) to manage your Terminus installation, you should upgrade using:

If you installed Terminus directly from the .phar file, you should upgrade using the self:update command:

For more information about this release, visit the GitHub release page.

If you have questions or concerns around Terminus, please use the Terminus issue queue.

We've made it easier to auto-instrument New Relic Browser Agent monitoring on Drupal 10.2+ sites.

Starting in Drupal 10.2, strict Content-Length headers were introduced that broke New Relic's standard Browser Agent auto-injection. You can now re-enable browser monitoring with a single pantheon.yml setting, and Pantheon's platform will handle the injection automatically. Changes take effect within a few minutes.

WordPress sites and Drupal versions prior to 10.2 are unaffected. Browser Agent auto-instrumentation continues to work out of the box for those frameworks.

For full details, visit our documentation page on New Relic.

Setting tika_version: 1 in pantheon.yml is now rejected at validation time. Sites with this setting will receive a validation error on their next commit:

Tika 1.18 and 1.21 were removed from the platform on April 28, 2026. Since that date, tika_version: 1 was silently ignored and sites automatically used Tika 3. This change formalizes the rejection so that sites receive a clear error instead of a silent fallback.

Action Required

Update your pantheon.yml to use a supported value:

Or remove the tika_version setting entirely if your site does not use Tika. To explicitly disable Tika, set tika_version: none.

For Tika 3 configuration details, including how to disable OCR, see External Libraries: Apache Tika.

Today Pantheon announces a removal schedule for Solr 3 on February 9, 2027 and Solr 8 on July 11, 2027. Solr 9 will reach General Availability on June 30, 2026 ahead of these removals.

After a Solr version is removed from the platform, sites using that version will no longer be able to index content or return search results. Views, blocks, or other components that rely on Solr-powered search indexes may return no results or throw errors.

Solr 9 - General Availability: June 30, 2026

Solr 9 has been available as a Beta for Drupal 10 and 11 sites through search_api_pantheon version 8.5.0-beta1. Solr 9 Beta for Drupal 7 is now available as of May 12, 2026.

General Availability for Solr 9 is targeted for June 30, 2026.

Solr 3 - Removal: February 9, 2027

Solr 3 will be removed from the Pantheon platform on February 9, 2027. Solr 3 is a legacy search version that no longer receives security updates.

Previous milestones:

• Solr 3 support for Drupal 9.4+ ended December 9, 2025
• WordPress Solr support ends January 11, 2027

Drupal 7 sites still using Solr 3 must migrate to Solr 9 before this date. See the Solr for Drupal 7 guide for upgrade steps. WordPress sites should migrate to Elasticsearch or another supported search solution before January 11, 2027.

Solr 8 - Removal: July 11, 2027

Solr 8 (8.11.4) will be removed from the platform on July 11, 2027. Solr 9 supersedes Solr 8 with improved security defaults and other enhancements. Drupal 10 and 11 sites currently running Solr 8 should migrate to Solr 9 before this date. Upgrade instructions are available in the Solr 9 Beta announcement.

Action required

• Drupal:

  • Solr 3 sites: Migrate to Solr 9 before February 9, 2027.
  • Solr 8 sites: Migrate to Solr 9 before July 11, 2027.

  For guidance on upgrading, see Drupal Solr.

• WordPress:

  • Migrate to Elasticsearch before January 11, 2027.

Pantheon Search with Apache Solr 9.10.0 support for Drupal 7 is available as a beta release for testing on Multidev environments. Do not deploy Solr 9 changes to Dev, Test, or Live. At GA, the updated module will be available as a one-click upstream update.

This extends the Solr 9 beta support previously announced for Drupal 10 and 11.

For setup instructions, required module versions, upgrading from Solr 3, and custom config details, see Using Solr on Drupal 7.

What about Solr 3?

Solr 3 remains supported for Drupal 7 sites during the Beta period. Solr 3 will be removed on February 9, 2027. Sites using Solr 3 should plan to upgrade to Solr 9.

Solr 3 is no longer supported for Drupal 9.4+ as of December 9, 2025. Those sites must use Solr 8 or above.

PHP versions 8.2.31, 8.3.31, 8.4.21, and 8.5.6 are now available on the platform. These updates include important security fixes, along with bug fixes and enhancements that improve performance and stability. Updates will be applied automatically over the next few days, so no manual action is required.

PHP 7.2, 7.3, and 8.0 have reached End of Sale on the Pantheon platform. New sites can no longer be created using these PHP versions.

This was previously announced in the PHP version removal schedule published March 11, 2026.

These versions, along with PHP 5.6, 7.0, and 7.1, are scheduled for removal on September 30, 2026. Sites still running a removed PHP version will be automatically upgraded to the oldest available PHP version at the time of removal.

Action required

If your site is running PHP 7.2, 7.3, or 8.0, upgrade to a recommended PHP version before September 30, 2026 to avoid disruption. Pantheon recommends PHP 8.3 or 8.4 for all production sites.

For guidance on upgrading, refer to Upgrade PHP Versions.

Sites created with custom upstreams that specify an end-of-sale PHP version may also experience unexpected behavior upon site creation.