Pantheon release notes

Pantheon will shut down infrastructure running our Front-End Sites offering on October 1st, 2026.

Our intention to replace the Front-End Sites was included in the Beta announcement of newer support for Next.js. As our support for Next.js reached General Availability, Pantheon staff began direct outreach to customers using Front-End Sites.

Please reach out to your Customer Success Manager if you would like assistance moving your site. Or, if you prefer to migrate on your own, you can do so with these steps.

Pantheon has released version 2.3.2 of the WP SAML Auth WordPress plugin. This security update fixes vulnerabilities in the robrichards/xmlseclibs and onelogin/php-saml dependencies. For more information, see the plugin release notes for details.

Update to 2.3.2 from the WordPress dashboard under Plugins > Installed Plugins, or download it from the WordPress Plugin Repository.

The latest version of WordPress, 7.0 (Armstrong), is available on Pantheon as of May 20, 2026.

Action required

Upgrade to WordPress 7.0 right from your Pantheon dashboard or Terminus to access the latest features, fixes, and security enhancements. See related documentation for how to apply core updates.

Highlights

• AI integration — A new provider-agnostic AI Client and Abilities API let WordPress communicate with generative AI models (Anthropic, Google, OpenAI, or custom), managed from a central Connectors screen in the dashboard.
• Modernized admin dashboard — A refreshed color scheme, smooth view transitions between screens, and a new Cmd+K / Ctrl+K command palette shortcut accessible from anywhere in the admin.
• New blocks — Breadcrumbs, Icon, and an enhanced Heading block join the editor, along with lightbox slideshow support in the Gallery block and video backgrounds in Cover blocks.
• Block-level custom CSS and responsive visibility — Apply custom CSS to individual blocks and show or hide blocks by device type for more granular design control.
• Font Library — A dedicated font management page for uploading, installing, and managing fonts across block, hybrid, and classic themes.
• PHP-only block registration — Create blocks entirely server-side without JavaScript, auto-registered with the block API.
• ...and more

For full details about WordPress 7.0, see the release notes or the WordPress 7.0 Field Guide.

Drupal has released a highly critical security update (CVSS 20/25) for Drupal core addressing SA-CORE-2026-004 (CVE-2026-9082). The vulnerability is a SQL injection flaw in Drupal's database abstraction API that only affects sites running on PostgreSQL. Drupal 7 is not affected.

No action is required to protect your Pantheon-hosted sites. Pantheon does not use PostgreSQL, so this vulnerability does not apply to sites hosted on Pantheon. Additionally, as a founding Platform Partner of the Drupal Steward program, Pantheon worked with the Drupal Security Team to implement platform-level mitigations prior to public disclosure.

Recommended update

We still recommend updating to the latest Drupal core patch release to keep your codebase aligned with upstream supported branches.

Patched releases for supported branches:

• Drupal 11.3.10 and 11.2.12
• Drupal 10.6.9 and 10.5.10

Emergency patches are also available for end-of-life branches 11.1.x, 10.4.x, 9.5.x, and 8.9.x — see the security advisory for details.

To apply the update, use one-click core updates in the Pantheon dashboard.

Setting tika_version: 1 in pantheon.yml is now rejected at validation time. Sites with this setting will receive a validation error on their next commit:

Tika 1.18 and 1.21 were removed from the platform on April 28, 2026. Since that date, tika_version: 1 was silently ignored and sites automatically used Tika 3. This change formalizes the rejection so that sites receive a clear error instead of a silent fallback.

Action Required

Update your pantheon.yml to use a supported value:

Or remove the tika_version setting entirely if your site does not use Tika. To explicitly disable Tika, set tika_version: none.

For Tika 3 configuration details, including how to disable OCR, see External Libraries: Apache Tika.

Today Pantheon announces a removal schedule for Solr 3 on February 9, 2027 and Solr 8 on July 11, 2027. Solr 9 will reach General Availability on June 30, 2026 ahead of these removals.

After a Solr version is removed from the platform, sites using that version will no longer be able to index content or return search results. Views, blocks, or other components that rely on Solr-powered search indexes may return no results or throw errors.

Solr 9 - General Availability: June 30, 2026

Solr 9 has been available as a Beta for Drupal 10 and 11 sites through search_api_pantheon version 8.5.0-beta1. Solr 9 Beta for Drupal 7 is now available as of May 12, 2026.

General Availability for Solr 9 is targeted for June 30, 2026.

Solr 3 - Removal: February 9, 2027

Solr 3 will be removed from the Pantheon platform on February 9, 2027. Solr 3 is a legacy search version that no longer receives security updates.

Previous milestones:

• Solr 3 support for Drupal 9.4+ ended December 9, 2025
• WordPress Solr support ends January 11, 2027

Drupal 7 sites still using Solr 3 must migrate to Solr 9 before this date. See the Solr for Drupal 7 guide for upgrade steps. WordPress sites should migrate to Elasticsearch or another supported search solution before January 11, 2027.

Solr 8 - Removal: July 11, 2027

Solr 8 (8.11.4) will be removed from the platform on July 11, 2027. Solr 9 supersedes Solr 8 with improved security defaults and other enhancements. Drupal 10 and 11 sites currently running Solr 8 should migrate to Solr 9 before this date. Upgrade instructions are available in the Solr 9 Beta announcement.

Action required

• Drupal:

  • Solr 3 sites: Migrate to Solr 9 before February 9, 2027.
  • Solr 8 sites: Migrate to Solr 9 before July 11, 2027.

  For guidance on upgrading, see Drupal Solr.

• WordPress:

  • Migrate to Elasticsearch before January 11, 2027.

PHP 7.2, 7.3, and 8.0 have reached End of Sale on the Pantheon platform. New sites can no longer be created using these PHP versions.

This was previously announced in the PHP version removal schedule published March 11, 2026.

These versions, along with PHP 5.6, 7.0, and 7.1, are scheduled for removal on September 30, 2026. Sites still running a removed PHP version will be automatically upgraded to the oldest available PHP version at the time of removal.

Action required

If your site is running PHP 7.2, 7.3, or 8.0, upgrade to a recommended PHP version before September 30, 2026 to avoid disruption. Pantheon recommends PHP 8.3 or 8.4 for all production sites.

For guidance on upgrading, refer to Upgrade PHP Versions.

Sites created with custom upstreams that specify an end-of-sale PHP version may also experience unexpected behavior upon site creation.

As previously announced, Tika 1.18 and 1.21 have been removed from the Pantheon platform. All sites now run Tika 3 regardless of the tika_version setting in pantheon.yml.

Action Required

• If you have not already done so, remove tika_version: 1 from your pantheon.yml before May 12, 2026.
  • Any tika_version: 1 entries will be ignored until May 12, 2026, at which point they will be rejected and prevent deployments.
• Update the used Tika 1.x path to Tika 3, for details see related documentation.
  • Existing Tika 1.x file paths will continue to symlink to the new Tika 3 location for the time being, but these symlinks will be removed at a later date.