Pantheon release notes

Drupal has released a highly critical security update (CVSS 20/25) for Drupal core addressing SA-CORE-2026-004 (CVE-2026-9082). The vulnerability is a SQL injection flaw in Drupal's database abstraction API that only affects sites running on PostgreSQL. Drupal 7 is not affected.

No action is required to protect your Pantheon-hosted sites. Pantheon does not use PostgreSQL, so this vulnerability does not apply to sites hosted on Pantheon. Additionally, as a founding Platform Partner of the Drupal Steward program, Pantheon worked with the Drupal Security Team to implement platform-level mitigations prior to public disclosure.

Recommended update

We still recommend updating to the latest Drupal core patch release to keep your codebase aligned with upstream supported branches.

Patched releases for supported branches:

• Drupal 11.3.10 and 11.2.12
• Drupal 10.6.9 and 10.5.10

Emergency patches are also available for end-of-life branches 11.1.x, 10.4.x, 9.5.x, and 8.9.x — see the security advisory for details.

To apply the update, use one-click core updates in the Pantheon dashboard.

We've made it easier to auto-instrument New Relic Browser Agent monitoring on Drupal 10.2+ sites.

Starting in Drupal 10.2, strict Content-Length headers were introduced that broke New Relic's standard Browser Agent auto-injection. You can now re-enable browser monitoring with a single pantheon.yml setting, and Pantheon's platform will handle the injection automatically. Changes take effect within a few minutes.

WordPress sites and Drupal versions prior to 10.2 are unaffected. Browser Agent auto-instrumentation continues to work out of the box for those frameworks.

For full details, visit our documentation page on New Relic.

Setting tika_version: 1 in pantheon.yml is now rejected at validation time. Sites with this setting will receive a validation error on their next commit:

Tika 1.18 and 1.21 were removed from the platform on April 28, 2026. Since that date, tika_version: 1 was silently ignored and sites automatically used Tika 3. This change formalizes the rejection so that sites receive a clear error instead of a silent fallback.

Action Required

Update your pantheon.yml to use a supported value:

Or remove the tika_version setting entirely if your site does not use Tika. To explicitly disable Tika, set tika_version: none.

For Tika 3 configuration details, including how to disable OCR, see External Libraries: Apache Tika.

Pantheon Search with Apache Solr 9.10.0 support for Drupal 7 is available as a beta release for testing on Multidev environments. Do not deploy Solr 9 changes to Dev, Test, or Live. At GA, the updated module will be available as a one-click upstream update.

This extends the Solr 9 beta support previously announced for Drupal 10 and 11.

For setup instructions, required module versions, upgrading from Solr 3, and custom config details, see Using Solr on Drupal 7.

What about Solr 3?

Solr 3 remains supported for Drupal 7 sites during the Beta period. Solr 3 will be removed on February 9, 2027. Sites using Solr 3 should plan to upgrade to Solr 9.

Solr 3 is no longer supported for Drupal 9.4+ as of December 9, 2025. Those sites must use Solr 8 or above.

As previously announced, Tika 1.18 and 1.21 have been removed from the Pantheon platform. All sites now run Tika 3 regardless of the tika_version setting in pantheon.yml.

Action Required

• If you have not already done so, remove tika_version: 1 from your pantheon.yml before May 12, 2026.
  • Any tika_version: 1 entries will be ignored until May 12, 2026, at which point they will be rejected and prevent deployments.
• Update the used Tika 1.x path to Tika 3, for details see related documentation.
  • Existing Tika 1.x file paths will continue to symlink to the new Tika 3 location for the time being, but these symlinks will be removed at a later date.

As noted in our June 2025 release note, Drush 5 and 7 are no longer available on Pantheon, and pantheon.yml files retaining these retired values would eventually cause a git push to be rejected. That enforcement is now in effect.

Pantheon now rejects git push when drush_version is set to 5 or 7 in pantheon.yml. The supported values are 8, 9, and 10.

Validation runs whenever pantheon.yml changes are detected on push, including reverts. Sites with drush_version: 5 or 7 already committed are unaffected until the file is modified. A git revert or git reset that touches pantheon.yml will also trigger validation and be rejected if the retired values are present.

Action required

Customers with sites configured for Drush 5 or 7 should upgrade the Drush version in pantheon.yml to at least Drush 8:

Sites created with custom upstreams using these versions may also encounter errors on site creation or upstream updates if drush_version is still set to 5 or 7.

Pantheon Search now supports Apache Solr 9.10.0 as a Beta for Drupal 10 and 11 sites. This is available through search_api_pantheon version 8.5.0-beta1, which supports both Solr 8 and Solr 9.

What's new?

• Added Solr 9 support.
• Solr 9 brings improved security defaults, the unified highlighter, and other enhancements. See the major changes in Solr 9 for details.
• Bumped Search API Solr version requirement to 4.3.x.

Getting started with Solr 9 (Beta)

Upgrading from Solr 8 to Solr 9

1. Update the module:

   Commit and deploy the changes to your Pantheon environment.

2. Update your pantheon.yml:

   Commit and deploy the changes to your Pantheon environment.

3. Clear the cache:

4. Post the schema for the new Solr version:

5. Clear the index and reindex content:

6. Test search functionality thoroughly and report any issues in the drupal.org issue queue.

New installations

To try the Beta with Solr 9 on a new site, set the Solr version in your pantheon.yml and install the module:

For detailed setup steps, see the documentation.

What about Solr 8?

Solr 8 (8.11.4) remains fully supported. Existing Solr 8 sites can update to Search API Pantheon 8.5.x without any configuration changes.

Older Drupal versions

Pantheon Search is no longer supported for Drupal 8-9.3 as of December 2, 2025.

Solr 3 is no longer supported by Drupal 9.4+ as of December 9, 2025. Those sites must use Solr 8 or above.

Feedback and documentation

Bug reports, feature requests, and feedback should be posted in the drupal.org issue queue. For detailed installation and upgrade instructions,Pantheon Search documentation.

Tika config support for disabling OCR

Tika 3 enables OCR (Optical Character Recognition) via Tesseract by default, which can significantly increase processing times for PDFs and image-based documents. A bundled tika-config.xml is now available on all Pantheon environments to disable OCR:

Pass it to Tika using the --config flag:

See External Libraries: Apache Tika for details.

Search API Attachments module update for Drupal

Drupal sites using the Search API Attachments module can now disable OCR directly from the admin UI. Version 10.0.8 adds a Path to Tika configuration file field at /admin/config/search/search_api_attachments. Set it to /opt/pantheon/tika/tika-config.xml

Tika 1.x no longer available starting April 28, 2026

Tika 1.18 and 1.21 are being removed from the platform:

• April 28, 2026 — tika_version: 1 in pantheon.yml will be ignored. Sites will automatically use Tika 3.
• May 12, 2026 — tika_version: 1 in pantheon.yml will be rejected.