CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)

5-minute read May 21 2026 CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004) By Satnam Narang Subscribe A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL. Key Takeaways CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core's database abstraction API that can be exploited by unauthenticated attackers on sites using PostgreSQL. No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours. Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions. Background On May 20, Drupal published a security advisory (SA-CORE-2026-004) for a highly critical SQL injection vulnerability in Drupal core: CVE Description CVSSv3 CVE-2026-9082 Drupal Core SQL Injection Vulnerability 6.5 The advisory was preceded by a public service announcement (PSA-2026-05-18) on May 18, which warned administrators to prepare for a highly critical release and cautioned that exploitation could occur "within hours or days" of disclosure. Drupal rates this vulnerability 20 out of 25 on its own risk scoring scale ("Highly Critical"), noting that the confidentiality impact includes "all non-public data accessible" and the integrity impact is "all data modifiable or deletable." NVD assigned a CVSSv3 score of 6.5, rating the confidentiality and integrity impacts as Low. Given the vendor's own characterization of impact and the unauthenticated attack vector, the Drupal risk rating better reflects the potential severity for affected configurations. Analysis CVE-2026-9082 is an SQL injection vulnerability in Drupal core's database abstraction API, specifically in the PostgreSQL EntityQuery condition handler. An unauthenticated, remote attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable Drupal site running on PostgreSQL. Successful exploitation could lead to information disclosure, data modification or deletion, and in some configurations, privilege escalation or remote code execution. User-controlled PHP array keys could reach SQL placeholder construction unsanitized. Drupal fixed this by applying ‘array_values()’ which strips attacker-supplied keys and replaces them with numeric indexes. Scope: PostgreSQL only This vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations. No exploitation observed At the time this blog post was published on May 21, Drupal's advisory describes the exploit status as "Theoretical," and no in-the-wild exploitation has been reported. Historical exploitation of Drupal Core Drupal core has a well-documented history of critical vulnerabilities that attracted rapid mass exploitation. CISA's Known Exploited Vulnerabilities (KEV) catalog contains four Drupal entries, two of which have confirmed ransomware use. The Drupalgeddon vulnerabilities (CVE-2018-7600 and CVE-2018-7602) in particular became a case study in how quickly attackers weaponize Drupal flaws once details are available. CVE Description Date Added Tenable Blogs CVE-2018-7600 Drupal Core Remote Code Execution (Drupalgeddon 2) 2021-11-03 Critical Drupal Core Vulnerability: What You Need to Know CVE-2018-7602 Drupal Core Remote Code Execution (Drupalgeddon 3) 2022-04-13 Drupalgeddon Attacks Continue on Sites Missing Security Updates CVE-2019-6340 Drupal Core Arbitrary PHP Code Execution 2022-03-25 Highly Critical Drupal Security Advisory Released CVE-2020-13671 Drupal Core File Extension Sanitization 2022-01-18 -- Proof of concept On the same day as the security release, a detection PoC and reproduction lab was published. The patch diff was also shared on social media within hours of the release. The minimal complexity of this patch, combined with the availability of AI-powered code analysis tools that can analyze diffs and assist in exploit development, compresses the timeline between patch release and weaponization. Historically, Drupal vulnerabilities of this severity have seen exploitation within hours to days of disclosure. Administrators running PostgreSQL-backed Drupal sites face a shortening window to apply patches before exploitation attempts begin. Solution Drupal has released fixed versions across all currently supported branches, as well as exceptional releases for two end-of-life branches due to the severity of this vulnerability: Affected Versions Fixed Version Drupal 11.3.0 - 11.3.9 11.3.10 Drupal 11.2.0 - 11.2.11 11.2.12 Drupal 11.0.0 - 11.1.9 11.1.10 (EOL, exceptional release) Drupal 10.6.0 - 10.6.8 10.6.9 Drupal 10.5.0 - 10.5.9 10.5.10 Drupal 10.4.0 - 10.4.9 10.4.10 (EOL, exceptional release) Sites running Drupal 8.9 or 9.5 have reached end-of-life and will not receive packaged updates. However, Drupal has published hotfix files for sites running 9.5.11 or 8.9.20. Sites on Drupal 7 are not affected. Sites using Drupal Steward are protected against known attack vectors for this vulnerability. According to the security advisory, these releases also include coordinated upstream security updates for Symfony and Twig. These include separate vulnerabilities from CVE-2026-9082, but Drupal core is affected by some of them. Even sites not running PostgreSQL benefit from updating to these releases. Identifying affected systems A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline. Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Drupal by using the following query: CMS contains Drupal.   Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. Author Learn more Satnam Narang SENIOR STAFF RESEARCH ENGINEER, SECURITY RESPONSE Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first ... Read more Drupal Security Advisory SA-CORE-2026-004 Drupal PSA-2026-05-18: Pre-release announcement Related articles CYBER EXPOSURE ALERTS MAY 21 2026 Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI… By Research Special Operations PRODUCTS MAY 21 2026 Tenable One deepens third-party integrations with new Open Connector for… By Nathan Dyer AI SECURITY MAY 20 2026 Implement agentic AI in cybersecurity with Tenable Hexa AI: Reduce cyber risk… By Eric Doerr Exposure Management Vulnerability Management Tenable Lumin Tenable Nessus Tenable Nessus Network Monitor Tenable One Tenable Patch Management Tenable Security Center Tenable Security Center Plus Tenable Vulnerability Management Tenable Web App Scanning