Drupal core SQL injection flaw puts PostgreSQL sites at risk as exploit attempts begin
7 min. read 
Published on
Drupal has released emergency core security updates for a highly critical SQL injection vulnerability that can be exploited by anonymous users on affected sites. The flaw is tracked as CVE-2026-9082 and is covered in the official SA-CORE-2026-004 advisory.
The vulnerability affects Drupal core’s database abstraction API, which normally sanitizes database queries before they reach the backend. In this case, specially crafted requests can lead to arbitrary SQL injection on sites that use PostgreSQL.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Drupal first warned site owners through PSA-2026-05-18, which told administrators to reserve time for urgent core updates on May 20, 2026. The final advisory later confirmed the technical issue and raised the risk score to 23/25 after exploit attempts were detected in the wild.
What the Drupal vulnerability does
CVE-2026-9082 allows attackers to send crafted requests that abuse Drupal’s query handling for PostgreSQL-backed websites. Drupal says the issue can lead to information disclosure and, in some cases, privilege escalation, remote code execution, or other attacks.
The issue is especially urgent because attackers do not need an account to exploit vulnerable configurations. Public-facing Drupal sites using PostgreSQL should receive immediate priority, especially if they run affected versions of Drupal 8, 9, 10, or 11.
The Drupal security advisory also says the SQL injection issue only affects PostgreSQL sites. However, the same core releases include third-party dependency updates for Symfony and Twig, so Drupal recommends updates even for sites that do not use PostgreSQL.
| Issue | Details |
|---|---|
| CVE | CVE-2026-9082 |
| Advisory | SA-CORE-2026-004 |
| Severity | Highly critical, 23/25 |
| Bug type | SQL injection |
| Main affected database | PostgreSQL |
| Authentication required | No, anonymous users can exploit affected sites |
| Exploit status | Exploit attempts detected in the wild |
Which Drupal versions need updates
The affected version range is broad. Drupal lists vulnerable versions as 8.9.0 through earlier than 10.4.10, 10.5.0 through earlier than 10.5.10, 10.6.0 through earlier than 10.6.9, 11.0.0 through earlier than 11.1.10, 11.2.0 through earlier than 11.2.12, and 11.3.0 through earlier than 11.3.10.
The Drupal 11.3.10 release notes confirm that the update fixes SA-CORE-2026-004 and also updates several dependencies for upstream security releases. Drupal says sites should update immediately after reading the release notes and security announcement.
Drupal 7 is not affected. Sites still running Drupal 8 or 9 do not receive normal releases, but Drupal provided best-effort manual patches because of the potential severity of this issue.
| Current Drupal branch | Recommended fixed version or action |
|---|---|
| Drupal 11.3.x | Update to Drupal 11.3.10 |
| Drupal 11.2.x | Update to Drupal 11.2.12 |
| Drupal 11.1.x or 11.0.x | Update to Drupal 11.1.10, then plan a supported upgrade |
| Drupal 10.6.x | Update to Drupal 10.6.9 |
| Drupal 10.5.x | Update to Drupal 10.5.10 |
| Drupal 10.4.x or earlier | Update to Drupal 10.4.10, then plan a supported upgrade |
| Drupal 9.x | Try the manual Drupal 9.5 patch and upgrade as soon as possible |
| Drupal 8.9.x | Try the manual Drupal 8.9 patch and upgrade as soon as possible |
| Drupal 7 | Not affected by this issue |
Why the risk increased after disclosure
Drupal’s pre-release warning was unusually direct. It told site owners that exploits might be developed within hours or days after the security release, which is why administrators were asked to reserve time during the May 20 release window.
The pre-release Drupal notice said not all configurations were affected, but it also urged sites to prepare because mitigation details would only arrive with the final advisory. That approach limited attacker access to technical details before patches became available.
The risk later increased because exploit attempts were detected in the wild. That means administrators should not treat this as a routine CMS update, especially when public-facing PostgreSQL-backed Drupal sites remain unpatched.
Why non-PostgreSQL sites should still update
The SQL injection path is specific to PostgreSQL, but the update has broader security value. Drupal bundled upstream security updates for Symfony and Twig with the supported branch releases, and site configuration can affect exposure to those dependency issues.
The Drupal release notes say Twig was updated to 3.26.0 and Symfony to 7.4.12 for coordinated security fixes. Drupal also recommends reviewing which user roles can update Twig templates, including through Views or contributed modules.
That makes patching important even for MySQL or MariaDB-backed sites. A site may not match the PostgreSQL SQL injection condition, but it can still benefit from the dependency fixes and hardening included in the release.
Hosted platforms may handle part of the risk
Some hosted Drupal platforms applied mitigations before public disclosure. Pantheon, for example, says no action is required to protect Pantheon-hosted sites from CVE-2026-9082 because its platform does not use PostgreSQL and because it worked with Drupal Steward on platform-level protections.
The Pantheon release note still recommends updating to the latest Drupal core patch release so codebases remain aligned with upstream supported branches. That advice also applies more broadly to organizations using managed hosting with separate application maintenance workflows.
Site owners should not assume hosting protection replaces all patching. Platform-level mitigation can reduce known attack paths, but application updates still matter for dependency fixes, future attack variants, and long-term support coverage.
What Drupal administrators should do now
Administrators should first identify every Drupal site, its exact core version, and its database backend. PostgreSQL-backed public websites should move to the front of the patch queue, followed by other Drupal sites that need the bundled dependency fixes.
- Confirm whether each Drupal site uses PostgreSQL.
- Update supported Drupal 10 and 11 sites to the fixed patch release.
- Apply best-effort manual patches only as a temporary step for Drupal 8 or 9.
- Move end-of-life Drupal 8, 9, 10.4, and 11.1 sites to supported branches as soon as possible.
- Review logs for unusual anonymous requests after May 20, 2026.
- Check for unexpected admin accounts, content changes, database changes, or modified templates.
- Back up the site and database before patching, then verify the update in production.
The Pantheon guidance also points users back to patched Drupal core releases, which is the cleanest long-term fix. Managed hosting customers should confirm whether their provider handled platform mitigation, application updates, or both.
Why this matters for website security
Drupal powers public-sector, education, media, nonprofit, and enterprise websites. A highly critical anonymous SQL injection flaw can create serious risk because attackers often scan for vulnerable CMS versions quickly after disclosure.
The practical impact depends on the database backend and site configuration, but any affected PostgreSQL-backed site should assume active scanning is possible. If attackers reach the database layer, they may expose user data, alter content, escalate privileges, or chain the bug with other weaknesses.
Organizations should treat this as both a patching event and an incident-readiness exercise. Updating Drupal core closes the known flaw, but log review and database integrity checks help identify whether exploitation happened before the fix landed.
The safest response is clear: update immediately, verify the fixed version, monitor for suspicious requests, and plan migrations away from unsupported Drupal branches.
FAQ
CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core’s database abstraction API. It affects Drupal sites using PostgreSQL and can be exploited by anonymous users.
No. The SQL injection issue only affects sites using PostgreSQL. However, Drupal recommends installing the latest core updates because the releases also include upstream Symfony and Twig security fixes.
No. Drupal says Drupal 7 is not affected by CVE-2026-9082.
Fixed versions include Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. Drupal also provided best-effort manual patches for Drupal 8.9 and Drupal 9.5.
Administrators should identify every Drupal site, confirm its database backend, update to the fixed core release, and review logs for suspicious anonymous requests or unexpected database and content changes.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages