In May 2026, the Drupal Security Team disclosed a critical SQL injection vulnerability affecting Drupal core. The issue, tracked as CVE-2026-9082, affects Drupal installations using PostgreSQL and has been assigned a Drupal security risk rating of 23/25. The vulnerability can be exploited by anonymous users, and Drupal has confirmed that exploit attempts are being detected in the wild.

Drupal is a widely used open source content management system for building and managing websites and web applications. While the affected attack surface is limited to PostgreSQL backed deployments, the flaw exists in Drupal core itself rather than within a contributed module. As a result, affected organisations may be exposed even where third-party modules are tightly controlled and routinely updated.

Drupal core vulnerability technical details

CVE-2026-9082 is an SQL injection vulnerability in Drupal core’s database abstraction API. This API is used by Drupal and its modules to build database queries in a consistent way across supported database engines, rather than requiring each component to write database specific SQL directly. In normal operation, this helps Drupal generate the correct query syntax for the configured database while reducing the risk of unsafe query handling.

The vulnerability affects the PostgreSQL implementation of this query building process. In affected code paths, specially crafted requests can cause attacker-controlled PHP array keys to influence certain SQL query conditions. This is different from a more typical SQL injection issue where an attacker injects malicious content into a parameter value. In this case, the issue relates to how parts of the query structure are assembled before the final SQL statement is passed to PostgreSQL.

As a result, protections normally provided by Drupal’s query abstraction layer may be bypassed, allowing a crafted request to alter the SQL statement executed by the database. Exploitation is remote and does not require authentication. An attacker only needs access to reachable Drupal functionality that accepts user-controlled input and passes it into the affected query building process. The exact attack surface will vary by site configuration, but functionality that exposes filtering, sorting, search, or API driven queries to unauthenticated users should be reviewed carefully.

Impact summary of CVE-2026-9082

Successful exploitation may allow an unauthenticated attacker to execute arbitrary SQL queries against the PostgreSQL database supporting a vulnerable Drupal site. This may result in unauthorised access to sensitive information, modification or deletion of stored data, and potential compromise of user accounts.

The impact is particularly significant because the vulnerable behaviour sits within Drupal core’s PostgreSQL query handling. Organisations may therefore be exposed through otherwise standard Drupal functionality, rather than only through custom code that directly constructs SQL queries. This increases the importance of reviewing affected deployments even where custom development is limited or third-party modules are tightly controlled.

In some configurations, secondary impacts such as privilege escalation or remote code execution may be possible. For customer facing services, exploitation could lead to data protection concerns, service disruption, and reputational damage. For internal platforms, exploitation could disrupt business workflows and affect connected systems that rely on Drupal managed data.

Drupal has released security updates addressing CVE-2026-9082 across all affected core branches. Organisations should update to a fixed version appropriate to their deployed release as soon as possible. The following Drupal core versions include the fix:

• Drupal 11.3.10
• Drupal 11.2.12
• Drupal 11.1.10
• Drupal 10.6.9
• Drupal 10.5.10
• Drupal 10.4.10

Best effort patches have also been made available for certain Drupal 8 and Drupal 9 branches due to the severity of the issue. However, these versions remain end of life and unsupported. Organisations still running unsupported Drupal versions should treat emergency patching as a temporary risk reduction measure and migrate to a supported release as a priority. In addition to applying the update, administrators should confirm whether PostgreSQL is used within their Drupal deployment and review any exposed functionality that accepts complex query parameters from unauthenticated users. Where immediate patching is not possible, web application firewall rules and other compensating controls may help reduce exposure in the short term, but they should not be considered a substitute for applying the Drupal security update.

How can Sentrium help?

Sentrium works with organisations to identify and manage risk arising from vulnerabilities in web applications and content management systems. Through penetration testing and vulnerability assessments, Sentrium helps clients understand real world exploitability and prioritise remediation effectively.

If you are unsure whether CVE-2026-9082 may affect your Drupal environment, or would like independent validation of your remediation efforts, our consultants are happy to arrange a call.