CVE-2026-9082

Vulnerability

Drupal core's database abstraction API fails to properly neutralize special elements in SQL commands, resulting in a SQL injection vulnerability [1]. The issue affects all Drupal versions from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, and from 11.3.0 before 11.3.10. The vulnerability is only exploitable on sites using PostgreSQL databases [1].

Exploitation

An attacker can exploit this vulnerability without authentication or user interaction by sending specially crafted requests to the vulnerable Drupal site [1]. The attack requires network access to the site and targets the database abstraction layer, which fails to sanitize input before constructing SQL queries [1].

Impact

Successful exploitation allows an attacker to perform arbitrary SQL injection, leading to information disclosure, privilege escalation, remote code execution, or other attacks [1]. The impact can affect all data managed by the Drupal site, potentially compromising the entire application [1].

Mitigation

Drupal has released fixed versions: 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10 [1]. Administrators should update to the appropriate patched version immediately. The advisory also includes security updates for Symfony and Twig dependencies, which are recommended regardless of PostgreSQL usage [1]. No workarounds are provided; updating is the only mitigation [1].