Back

Critical SQL Injection Vulnerability in Drupal Core Disclosed

Severity: High (Score: 74.0)

Sources: Tenable, www.drupal.org, github.com, www.cve.org, Digital.Nhs.Uk

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: drupal, vulnerability, critical, core, highly, injection, sa-core-2026-004

Severity indicators: critical, vulnerability

Summary

On May 20, 2026, Drupal announced a highly critical SQL injection vulnerability (CVE-2026-9082) affecting its core database abstraction layer for PostgreSQL. This vulnerability allows unauthenticated remote attackers to send specially crafted requests, potentially leading to information disclosure, data modification, or remote code execution. The vulnerability has been rated as 'Highly Critical' by Drupal, scoring 20 out of 25 on their risk scale. Affected versions include Drupal core from 8.9.0 to 11.3.0. No exploitation has been observed in the wild as of May 21, 2026, but the potential for rapid exploitation exists, given the history of similar vulnerabilities in Drupal. Administrators are urged to review the security advisory (SA-CORE-2026-004) and apply updates promptly. The vulnerability is limited to sites using PostgreSQL, with no impact on those using MySQL, MariaDB, or SQLite. Key Points: • CVE-2026-9082 is a critical SQL injection vulnerability affecting Drupal core on PostgreSQL. • Unauthenticated attackers can exploit this flaw to access or modify sensitive data. • No in-the-wild exploitation has been reported, but rapid exploitation is possible.

Detailed Analysis

**Impact** Drupal sites using PostgreSQL as their database backend are affected, spanning versions from 8.9.0 up to 11.3.0 before specific patched releases. The vulnerability allows unauthenticated attackers to access and modify all non-public data, potentially leading to data disclosure, deletion, privilege escalation, or remote code execution. No specific sectors or geographies are detailed, but Drupal's widespread use in government, healthcare, and enterprise sectors implies broad exposure. Sites running MySQL, MariaDB, SQLite, or Drupal 7 are not affected. **Technical Details** The vulnerability (CVE-2026-9082) is an SQL injection in Drupal core’s PostgreSQL EntityQuery condition handler, exploitable via specially crafted unauthenticated API requests. The flaw arises from unsanitized user-controlled PHP array keys reaching SQL placeholder construction, fixed by applying `array_values()` to sanitize keys. Exploitation is theoretical at the time of reporting, with no observed in-the-wild attacks, but rapid weaponization is expected given historical Drupal vulnerabilities and publicly available proof-of-concept code. No specific malware or IOCs are reported. **Recommended Response** Apply the security updates released for all supported Drupal branches and hotfixes for select end-of-life versions immediately, prioritizing sites using PostgreSQL. Review and implement coordinated upstream security updates for Symfony and Twig included in the releases. Monitor for unusual API requests and signs of SQL injection attempts targeting Drupal sites. Sites using Drupal Steward have protections against known attack vectors for this vulnerability.

Source articles (6)

  • CC-4788 — Digital.Nhs.Uk · 2026-05-21
    Drupal have released a security update to address a critical severity vulnerability in Drupal Core. An anonymous user could send specially crafted API requests to exploit the vulnerability leading to…
  • Drupal core - Highly critical - SQL injection - SA-CORE-2026-004 — www.drupal.org · 2026-05-21
  • Status Published CVE-2026-9082 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. — www.cve.org · 2026-05-21
  • Drupal Steward — www.drupal.org · 2026-05-21
  • Drupal Sa Core 2026 004 Lab — github.com · 2026-05-21
  • CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004) — Tenable · 2026-05-21
    A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL. On May 20, Drupal published a security advisory (SA-CORE-2026-004) for a hig…

Timeline

  • 2018-03-29 — CVE-2018-7600 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2018-04-27 — Public exploit for CVE-2018-7602 released: A proof-of-concept exploit appeared on GitHub, lowering the barrier for opportunistic attackers.
  • 2026-05-18 — Public service announcement issued: Drupal warned administrators to prepare for a critical release and potential exploitation within days.
  • 2026-05-20 — CVE-2026-9082 published: Drupal disclosed a critical SQL injection vulnerability affecting its core database abstraction layer for PostgreSQL.
  • 2026-05-21 — First public PoC released: A proof of concept for exploiting CVE-2026-9082 was published shortly after the vulnerability disclosure.
  • 2026-05-21 — NHS alerts organizations: Digital NHS advised organizations to review the Drupal security advisory and apply updates to mitigate the vulnerability.

CVEs

  • CVE-2018-7600
  • CVE-2018-7602
  • CVE-2026-9082

Related entities

  • Sql Injection (Attack Type)
  • Cwe-89 - SQL Injection (Cwe)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • Drupal (Platform)
  • Drupal Core (Platform)
  • PostgreSQL (Platform)
  • Drupalgeddon (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed