A highly critical SQL injection vulnerability in Drupal core’s database abstraction layer affects sites running PostgreSQL.
Key Takeaways
- CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core’s database abstraction API that can be exploited by unauthenticated attackers on sites using PostgreSQL.
- No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.
- Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.
Background
On May 20, Drupal published a security advisory (SA-CORE-2026-004) for a highly critical SQL injection vulnerability in Drupal core:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2026-9082 | Drupal Core SQL Injection Vulnerability | 6.5 |
The advisory was preceded by a public service announcement (PSA-2026-05-18) on May 18, which warned administrators to prepare for a highly critical release and cautioned that exploitation could occur “within hours or days” of disclosure.
Drupal rates this vulnerability 20 out of 25 on its own risk scoring scale (“Highly Critical”), noting that the confidentiality impact includes “all non-public data accessible” and the integrity impact is “all data modifiable or deletable.” NVD assigned a CVSSv3 score of 6.5, rating the confidentiality and integrity impacts as Low. Given the vendor’s own characterization of impact and the unauthenticated attack vector, the Drupal risk rating better reflects the potential severity for affected configurations.
Analysis
CVE-2026-9082 is an SQL injection vulnerability in Drupal core’s database abstraction API, specifically in the PostgreSQL EntityQuery condition handler. An unauthenticated, remote attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable Drupal site running on PostgreSQL. Successful exploitation could lead to information disclosure, data modification or deletion, and in some configurations, privilege escalation or remote code execution.
User-controlled PHP array keys could reach SQL placeholder construction unsanitized. Drupal fixed this by applying ‘array_values()’ which strips attacker-supplied keys and replaces them with numeric indexes.
Scope: PostgreSQL only
This vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations.
No exploitation observed
At the time this blog post was published on May 21, Drupal’s advisory describes the exploit status as “Theoretical,” and no in-the-wild exploitation has been reported.
Historical exploitation of Drupal Core
Drupal core has a well-documented history of critical vulnerabilities that attracted rapid mass exploitation. CISA’s Known Exploited Vulnerabilities (KEV) catalog contains four Drupal entries, two of which have confirmed ransomware use. The Drupalgeddon vulnerabilities (CVE-2018-7600 and CVE-2018-7602) in particular became a case study in how quickly attackers weaponize Drupal flaws once details are available.
Proof of concept
On the same day as the security release, a detection PoC and reproduction lab was published. The patch diff was also shared on social media within hours of the release.
The minimal complexity of this patch, combined with the availability of AI-powered code analysis tools that can analyze diffs and assist in exploit development, compresses the timeline between patch release and weaponization. Historically, Drupal vulnerabilities of this severity have seen exploitation within hours to days of disclosure. Administrators running PostgreSQL-backed Drupal sites face a shortening window to apply patches before exploitation attempts begin.
Solution
Drupal has released fixed versions across all currently supported branches, as well as exceptional releases for two end-of-life branches due to the severity of this vulnerability:
| Affected Versions | Fixed Version |
|---|---|
| Drupal 11.3.0 – 11.3.9 | 11.3.10 |
| Drupal 11.2.0 – 11.2.11 | 11.2.12 |
| Drupal 11.0.0 – 11.1.9 | 11.1.10 (EOL, exceptional release) |
| Drupal 10.6.0 – 10.6.8 | 10.6.9 |
| Drupal 10.5.0 – 10.5.9 | 10.5.10 |
| Drupal 10.4.0 – 10.4.9 | 10.4.10 (EOL, exceptional release) |
Sites running Drupal 8.9 or 9.5 have reached end-of-life and will not receive packaged updates. However, Drupal has published hotfix files for sites running 9.5.11 or 8.9.20. Sites on Drupal 7 are not affected.
Sites using Drupal Steward are protected against known attack vectors for this vulnerability.
According to the security advisory, these releases also include coordinated upstream security updates for Symfony and Twig. These include separate vulnerabilities from CVE-2026-9082, but Drupal core is affected by some of them. Even sites not running PostgreSQL benefit from updating to these releases.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Drupal by using the following query: CMS contains Drupal.
Get more information
Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
