New at Horizon3.ai

Mythos has collapsed the attack path. | Learn how to prove your defenses now. →

CVE-2026-9082

Drupal SQL Injection Vulnerability

CVE-2026-9082 is a highly critical SQL injection vulnerability affecting Drupal core sites configured to use PostgreSQL as the backend database. The vulnerability exists in Drupal’s database abstraction API, where specially crafted requests can bypass query sanitization and result in arbitrary SQL injection. The issue is reachable by anonymous users and requires no authentication or prior privileges. Drupal rates the issue as “Highly Critical,” with a 20 out of 25 security risk score. The vulnerability is rated as Critical (CVSS 9.8).

Technical Details

Drupal is an open-source content management system used to build and operate websites, intranets, and digital experience platforms across government, higher education, media, and enterprise environments.

In affected deployments, Drupal core’s database abstraction API fails to properly sanitize certain crafted requests when the site uses PostgreSQL. Successful exploitation enables arbitrary SQL execution against the Drupal site database. Potential outcomes include credential exposure, unauthorized data access, privilege escalation, database manipulation, and possible remote code execution paths depending on site configuration and connected services.

The vulnerability affects PostgreSQL-backed Drupal deployments only. 

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether this SQL injection vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

Re-run the test: Confirm the vulnerability is no longer exploitable after remediation

Run the Rapid Response test: Launch from the NodeZero platform to determine whether affected Drupal instances using PostgreSQL are exploitable

Patch immediately: Upgrade Drupal core to a fixed release based on your supported branch

Stop Guessing, Start Proving

Diagram showing unauthenticated SQL injection against a PostgreSQL-backed Drupal deployment
Schedule a demo

Affected versions & patch

Affected:

  • Drupal 8.9.0 through 10.4.9
  • Drupal 10.5.0 through 10.5.9
  • Drupal 10.6.0 through 10.6.8
  • Drupal 11.0.0 through 11.1.9
  • Drupal 11.2.0 through 11.2.11
  • Drupal 11.3.0 through 11.3.9
  • Drupal deployments configured to use PostgreSQL

Not affected:

  • Drupal sites using MySQL, MariaDB, or SQLite

Patch:

  • Upgrade to Drupal 11.3.10 or later
  • Upgrade to Drupal 11.2.12 or later
  • Upgrade to Drupal 11.1.10 or later
  • Upgrade to Drupal 10.6.9 or later
  • Upgrade to Drupal 10.5.10 or later
  • Upgrade to Drupal 10.4.10 or later

For unsupported Drupal 8 or 9 deployments, apply the manually distributed security patches from the Drupal Security Team and migrate to a supported branch as soon as possible

Timeline

  • May 18, 2026 – Drupal issued advance notice of an upcoming highly critical core security release.
  • May 20, 2026 – Drupal published SA-CORE-2026-004 for CVE-2026-9082.
  • May 21, 2026 – Public reporting highlighted the risk to PostgreSQL-backed Drupal sites.

References

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By