Drupal Releases Emergency Patch for Critical SQL Injection Flaw (CVE-2026-9082) Affecting PostgreSQL Sites
Drupal released an emergency patch for a highly critical SQL injection vulnerability (CVE-2026-9082) in its database abstraction API, affecting all supported branches and potentially allowing anonymous attackers to execute arbitrary SQL on PostgreSQL sites.

Drupal published an urgent security advisory on May 20, 2026, disclosing a highly critical SQL injection vulnerability (CVE-2026-9082) in its core database abstraction API. The flaw, which carries a CVSS score of 20 out of 25, affects all supported Drupal branches from version 8.9.0 through 11.3.9, though exploitation is limited to sites using PostgreSQL databases. The Drupal Security Team warned that exploit code could be developed within hours or days of the patch release, mirroring the urgency signaled in a pre-advisory notice issued earlier this week.
The vulnerability resides in Drupal's database abstraction layer, which is designed to sanitize queries and prevent SQL injection. A flaw in this API allows an attacker to send specially crafted requests that bypass sanitization, resulting in arbitrary SQL injection on PostgreSQL-backed sites. According to the advisory, this can lead to information disclosure, privilege escalation, remote code execution, or other attacks. Critically, the vulnerability can be exploited by anonymous users, meaning no authentication is required to trigger the flaw.
Drupal has released patched versions for all supported branches: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. For end-of-life branches such as Drupal 8.9, 9.x, 10.4.x and earlier, and 11.0.x, the security team has provided best-effort patches, though these unsupported versions remain vulnerable to other previously disclosed issues. The advisory strongly recommends that all site administrators update immediately, regardless of whether they use PostgreSQL, because the release also includes critical upstream security fixes for Symfony and Twig dependencies.
The vulnerability was reported by Michael Maturi and fixed by a team of Drupal Security Team members including Björn Brala, Benji Fisher, catch, Lee Rowlands, Dave Long, and Drew Webber. The coordinated release also bundles security updates for Symfony and Twig, which have released their own advisories. Drupal warned that sites with custom configurations or contrib modules that allow users to update Twig templates—such as via Views—may be at additional risk and should review user role permissions.
This incident follows a pattern of critical SQL injection flaws in widely used content management systems. Earlier in May 2026, CISA added a SQL injection vulnerability in BerriAI LiteLLM to its Known Exploited Vulnerabilities catalog, and SAP patched a critical SQL injection in S/4HANA. The Drupal flaw stands out due to its high severity, anonymous exploitability, and the broad installed base of Drupal—estimated at over 1 million sites worldwide. Administrators are urged to apply patches immediately and monitor for signs of compromise, especially on PostgreSQL-backed deployments.
The advisory confirms that the vulnerability (CVE-2026-9082) affects all supported Drupal versions (11.3, 11.2, 11.1, 10.6, 10.5, 10.4) and provides specific patch versions for each branch. Additionally, manual patches have been released for end-of-life Drupal 9.5 and 8.9 as a best-effort measure, though these unsupported versions may still contain other unpatched vulnerabilities.
SecurityWeek reports that the patch also addresses 'important' vulnerabilities in Symfony and Twig that affect Drupal, and Drupal recommends updating these dependencies even for sites not using PostgreSQL. The article notes that there hasn't been a 'highly critical' Drupal flaw in years, and no in-the-wild exploitation of new Drupal bugs has been reported since 2019, contrasting with the Drupalgeddon and Drupalgeddon2 campaigns that were widely exploited before then.
Tenable's analysis provides additional technical details on CVE-2026-9082, noting that user-controlled PHP array keys could reach SQL placeholder construction unsanitized, and Drupal fixed this by applying array_values() to strip attacker-supplied keys. The blog also highlights that a detection PoC and the patch diff were published within hours of the advisory, and warns that AI-powered code analysis tools could accelerate exploit development. Tenable recommends immediate patching for PostgreSQL-backed Drupal sites, emphasizing that even EOL branches received exceptional releases due to the severity.
Drupal has updated its advisory for CVE-2026-9082 to reflect active exploitation attempts in the wild, raising the risk score from 20 to 23. Imperva reported over 15,000 exploitation attempts targeting nearly 6,000 sites across 65 countries, with almost half aimed at gaming and financial services. The activity is currently dominated by reconnaissance, but successful exploitation could lead to data extraction or privilege escalation.
CISA has now added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation and mandating that Federal Civilian Executive Branch agencies remediate the flaw by the specified due date under Binding Operational Directive 22-01. While the emergency patch was released earlier, this KEV inclusion signals that attackers are actively leveraging the SQL injection vulnerability in Drupal Core, particularly against PostgreSQL deployments. CISA strongly urges all organizations, not just federal agencies, to prioritize patching this actively exploited vulnerability as part of their vulnerability management practices.
CISA has now added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Imperva reports over 15,000 attack attempts targeting nearly 6,000 sites across 65 countries, with gaming and financial services sites accounting for nearly 50% of observed activity. While most attacks appear to be probing for vulnerable PostgreSQL-backed Drupal configurations, the SQL injection flaw could enable privilege escalation and remote code execution. Federal agencies must apply patches by May 27, 2026.
CISA has now added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and mandating that federal agencies remediate the flaw by May 27, 2026 under Binding Operational Directive 22-01. The advisory warns that the SQL injection vulnerability, which affects Drupal's database abstraction API, can lead to privilege escalation and remote code execution, urging all organizations running exposed Drupal instances to apply patches immediately and monitor for suspicious SQL queries.
CISA has now added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV) catalog, ordering U.S. federal agencies to apply the patch by May 27. Shadowserver reports nearly 670 unpatched Drupal instances remain exposed online, mostly in North America and Europe, underscoring the urgency for all organizations to remediate the flaw.