Critical PHP Object Injection Vulnerability in Drupal Core (CVE-2026-55803) Requires Urgent Patching
Drupal has disclosed a critical PHP object injection flaw (CVE-2026-55803) in core that attackers could exploit via JSON:API write operations, urging updates within 24 hours.
Drupal released a security advisory on June 17, 2026, detailing a critical PHP object injection vulnerability (CVE-2026-55803) affecting core versions prior to 10.5.12, 10.6.11, 11.2.14, and 11.3.12. The flaw, rated 18 out of 25 on the Drupal security risk scale, arises from incomplete protections in JSON:API write operations that handle serialized data stored in entity reference fields. An attacker with appropriate JSON:API write permissions could inject a malicious payload, potentially leading to arbitrary code execution or other compromise.
The vulnerability targets fields that store serialized properties, a condition that Drupal notes is extremely rare. No field type shipped with Drupal core meets the exploitable criteria, and contributed or user-created field types that store serialized data appear to be unusual. However, the Drupal Security Team warns that this update protects all such fields, making the underlying code path universally defensive. This risk is further mitigated by the fact that JSON:API is read-only by default; only sites that have explicitly enabled write access—either through administrator configuration or a contributed/custom module—are exposed.
Drupal Steward, the company's Web Application Firewall (WAF) service, provides some protection against this vulnerability. According to the advisory, the Steward WAF rules are expected to mitigate common and obvious attack vectors, but may not cover all exploitation paths or work reliably across all hosting providers. Because several concurrent core advisories released today are not covered by Steward, Drupal strongly recommends applying the actual update to core within 24 hours.
The vulnerability was reported by Michael Maturi and fixed by a team including Björn Brala, Sascha Grossenbacher, Lee Rowlands, Dave Long, and Drew Webber, all from the Drupal Security Team, with coordination by Anna Kalata, Benji Fisher, and others. The patch addresses a follow-on oversight from SA-CORE-2019-003, which previously added protections for serialized data fields but missed the JSON:API attack surface.
Organizations running Drupal should update to Drupal 11.3.12 (for 11.3.x), 11.2.14 (for 11.2.x), 10.6.11 (for 10.6.x), or 10.5.12 (for 10.5.x). Versions 11.0.x, 11.1.x, 10.4.x, and all earlier releases are end-of-life and do not receive security coverage. The disclosure underscores the ongoing challenge of securing serialization and deserialization paths in modern web frameworks, a vector that has driven numerous critical vulnerabilities in CMS platforms.