Summary

A new vulnerability, tracked as CVE-2026-9082, affects multiple supported versions of Drupal core using PostgreSQL database backends. The flaw allows unauthenticated remote attackers to execute arbitrary SQL queries through specially crafted requests, potentially leading to sensitive data exposure, privilege escalation, administrative compromise, or remote code execution.

Drupal assigned the issue a severity rating of “Highly Critical” with a risk score of 19/25 due to the lack of authentication requirements, low attack complexity, and potential for complete system compromise. Internet-facing Drupal environments using PostgreSQL should be patched immediately as exploitation is expected within hours, not days.

Affected Products

Drupal Core Versions

The following Drupal core branches are affected:

Drupal 11.2.x prior to 11.2.12
Drupal 11.3.x prior to 11.3.8
Drupal 10.5.x prior to 10.5.10
Drupal 10.6.x prior to 10.6.8

Affected Configurations

The vulnerability affects:

Drupal sites using PostgreSQL databases
Internet-facing Drupal installations
Configurations exposing vulnerable request handling paths

Not Affected

Drupal sites using MySQL or MariaDB are not believed to be affected
Drupal 7 is not affected

Technical Analysis

CVE-2026-9082 exists within a Drupal core API handling mechanism that improperly processes crafted input when interacting with PostgreSQL database systems. Insufficient validation and unsafe handling of request parameters allow attackers to manipulate backend SQL queries and inject arbitrary database commands into vulnerable requests. Because exploitation does not require authentication, attackers can target exposed Drupal systems remotely with minimal effort.

The flaw appears to originate from how Drupal constructs or interprets database interactions within PostgreSQL-specific query paths. Under vulnerable conditions, malicious input can alter the structure or execution flow of SQL statements, enabling attackers to bypass intended application logic and directly interact with the database backend. This creates the potential for unauthorized access to sensitive data, manipulation of stored application information, or execution of administrative database operations.

In practical attack scenarios, exploitation could allow attackers to enumerate database contents, extract credential material and session data, create or elevate privileged accounts, modify Drupal configuration settings, or implant persistence mechanisms such as malicious administrator users or web shells. Depending on server configuration and database privileges, successful SQL injection may also facilitate remote code execution through database-assisted techniques or chained exploitation paths.

The severity of the issue is amplified by several factors: exploitation requires no user interaction or authentication, the attack complexity is low, and the vulnerability affects core Drupal functionality rather than optional contributed modules. Public disclosure of technical details and proof-of-concept exploit code may significantly increase the likelihood of rapid exploitation activity against internet-facing Drupal environments.

Mitigation

Drupal has released security updates addressing the vulnerability. Organizations should immediately upgrade to:

Drupal 11.3.10 or later
Drupal 11.2.12 or later
Drupal 11.1.10 or later
Drupal 10.6.9 or later
Drupal 10.5.10 or later
Drupal 10.4.10 or later

Organizations operating unsupported Drupal versions should prioritize migration to supported branches immediately.

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and analyzing the case to identify potential threat-hunting campaigns. This advisory will be updated if required.

References

https://www.drupal.org/sa-core-2026-004
https://www.drupal.org/security/core
https://www.drupal.org/project/drupal/releases