Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks - The Hacker News

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks Ravie LakshmananMay 21, 2026Web Security / Vulnerability Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is used in Drupal Core to validate queries and ensure they are sanitized against SQL injection attacks. "A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases," it said. "This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks." Drupal noted the security flaw can be exploited by anonymous users, and impacts only sites that use PostgreSQL. The following versions address the issue - Drupal 11.3.10 Drupal 11.2.12 Drupal 11.1.10 Drupal 10.6.9 Drupal 10.5.10 Drupal 10.4.10 Drupal 7 isn't affected. The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed. As previously disclosed by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life - Drupal 9.5 Drupal 8.9 "Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage," Drupal said. "Drupal 8 and Drupal 9 have both reached end-of-life.  "Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities." Update Searchlight Cyber has released two working proof-of-concept (PoC) code for CVE-2026-9082, stating the vulnerability can be exploited by anonymous users on any deployment that backs Drupal with PostgreSQL. "Both are gated on PostgreSQL being the database backend, so MySQL and SQLite installs are not exploitable through these paths," researchers Patrik Grobshäuser, Kevin Gervot, and Tomais Williamson said. "The upgrade is still worth picking up on those installs for the bundled Symfony and Twig advisories that the same Drupal release carries." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, Drupal, PostgreSQL, privilege escalation, remote code execution, Symfony, Vulnerability ⚡ Top Stories This Week Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor Load More ▼ ⭐ Featured Resources Identify Internal Attack Surfaces More Efficiently With a Free Assessment [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Webinar] Learn How to Handle Critical SOC Alerts With AI Support