Drupal Core Gadget Chain CVE-2026-55804 Opens Door to RCE and SQL Injection
Drupal disclosed a moderately critical gadget chain vulnerability (CVE-2026-55804) in core that can enable remote code execution or SQL injection when combined with an insecure deserialization flaw.
The Drupal Security Team on June 17, 2026, published an advisory for CVE-2026-55804, a gadget chain vulnerability affecting all supported branches of Drupal core. The flaw is rated moderately critical with a CVSS score of 14 out of 25, but its practical risk is elevated because it can be chained with other bugs to achieve severe outcomes like remote code execution (RCE) or SQL injection.
A gadget chain is not a standalone exploit. It is a collection of methods within the application that, when triggered by an insecure deserialization vulnerability elsewhere, can be used to execute arbitrary code or manipulate database queries. In this case, Drupal core contains a chain of methods that become dangerous only if an attacker can pass untrusted data to PHP's unserialize() function through a separate flaw. The advisory explicitly states that the issue is "not directly exploitable" and requires a secondary vulnerability to be present.
The affected versions span all actively supported Drupal branches: versions prior to 10.5.12, 10.6.x before 10.6.11, 11.2.x before 11.2.14, and 11.3.x before 11.3.12. End-of-life branches such as Drupal 11.0.x, 11.1.x, 10.4.x, and all Drupal 8 and 9 releases do not receive security coverage and remain vulnerable if still in use.
Administrators are urged to update immediately to the latest patched releases: Drupal 11.3.12, 11.2.14, 10.6.11, or 10.5.12, depending on their current deployment. The Drupal Security Team coordinated the fix with contributions from Michael Maturi, who reported the issue, and Lee Rowlands, Drew Webber, and Mohit Aghera, who implemented the patch. The advisory credits a large team of security coordinators including Anna Kalata, Benji Fisher, Greg Knaddison, and others.
While the vulnerability itself is theoretical in nature, its presence in a widely deployed content management system like Drupal—which powers millions of websites—means that any additional insecure deserialization bug discovered in the future could immediately become critical. Security teams should treat this advisory as a reminder to audit custom code and contributed modules for unsafe unserialize() calls, as those are the necessary trigger for this gadget chain.
This disclosure follows a busy period for Drupal security. On June 3, 2026, the project released four advisories covering separate vulnerabilities, and earlier in June it patched an SSRF flaw in the oEmbed discovery feature (CVE-2026-55807) and a cache poisoning issue (CVE-2026-55806). The cumulative effect underscores the importance of staying current with Drupal core updates, as each patch closes a potential entry point that could be combined with others for a full compromise.
For organizations still running Drupal 7 or earlier unsupported versions, this advisory is another strong signal to migrate to a supported release. Without security coverage, any future deserialization bug in the core or contributed modules could leave sites exposed to the gadget chain with no official fix available.