CVE-2026-9082

Drupal · Core

A critical SQL injection vulnerability exists in Drupal Core for PostgreSQL backends, allowing unauthenticated attackers to execute arbitrary SQL statements.

Executive summary

Drupal Core is affected by a critical SQL injection vulnerability that is currently being exploited in the wild, posing an immediate risk of remote code execution.

Vulnerability

This is an unauthenticated SQL injection vulnerability affecting Drupal sites using PostgreSQL. Attackers can inject malicious SQL via network-accessible inputs, potentially leading to data exfiltration, modification, or remote code execution.

Business impact

With a CVSS score of 9.5, this vulnerability represents a critical risk. Successful exploitation allows an attacker to bypass authentication, potentially gaining full control over the Drupal instance and the underlying database. This could result in complete loss of data confidentiality, integrity, and availability, as well as unauthorized access to integrated enterprise systems.

Remediation

Immediate Action: Update Drupal core to versions 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10 immediately.

Proactive Monitoring: Review database query logs for anomalous or malformed SQL patterns originating from external sources.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block SQL injection patterns, though this should be treated only as a temporary measure.

Exploitation status

Public Exploit Available: True

Analyst recommendation

Given the confirmed active exploitation and the critical nature of this SQL injection flaw, organizations must prioritize patching their Drupal environments immediately. Failure to update will leave systems vulnerable to complete compromise by unauthenticated attackers.