Drupal Releases Emergency Patch for Critical SQL Injection Vulnerability with RCE Risk in PostgreSQL Sites
Without requiring authentication, CVE-2026-9082 has been scored 20/25 in Drupal's risk system and may lead to remote code execution in installations using PostgreSQL. Patch available this Thursday.
On Thursday, 21 May, Drupal published security advisory SA-CORE-2026-004, which addresses CVE-2026-9082, classified as "highly critical" with a score of 20 out of 25 in the platform's internal risk system. The vulnerability resides in Drupal Core's database abstraction API and allows any unauthenticated visitor to inject arbitrary SQL into installations that use PostgreSQL as their database backend.
The classification of AC:None and A:None in the technical scoring confirms the absence of any access or privilege prerequisites for exploitation. Any automated script can trigger the attack without credentials, without special configuration, and without the action of a legitimate user. The Drupal Security Team did not identify any active exploitation at the time of disclosure, but vulnerabilities with equivalent scoring and anonymous access vectors have historically recorded mass exploitation attempts within 24 to 48 hours after the advisory publication.
How the Vulnerability Works
The query validation API in Drupal Core does not properly sanitise certain inputs before sending them to the PostgreSQL driver. An attacker sends specially crafted requests that bypass the abstraction layer's filters, allowing the injection of arbitrary SQL commands directly into the application's database. The vulnerability affects both direct queries and those dynamically generated by contrib modules that extend the CMS's native functionality.
The consequences documented by the Drupal Security Team include exposure of sensitive data stored in the database, privilege escalation within the application, and depending on the permissions of the database user configured for Drupal, remote code execution on the host server. Installations using MySQL, MariaDB, or SQLite are not affected: the vulnerability resides in the specific implementation of the PostgreSQL driver within Drupal's abstraction layer.
Affected Versions and Remediation Path
The vulnerability impacts the entire active support line of Drupal: versions from 8.9.0 to 10.4.9, 10.5.0 to 10.5.9, 10.6.0 to 10.6.8, and 11.0.0 to 11.3.9. The Drupal Security Team has released patches for the four actively maintained branches (11.3, 11.2, 10.6, and 10.5) and emergency updates for the legacy branches 11.1.x, 10.4.x, 9.5.x, and 8.9.x, which are technically end-of-life but present in production in a significant number of enterprise installations.
No alternative mitigation has been documented. The only remedy is the immediate upgrade to the latest version available within the branch in use. The project does not recommend Web Application Firewalls as a substitute for the patch, as malicious requests can be obfuscated to bypass signatures based on known patterns. Administrators using automatic updates via Composer should validate deployment logs before considering the instance secured.
Why Corporate Security Teams Should Act Now
Drupal is installed in customer portals, intranet systems, and content management platforms across regulated sectors, including government agencies, hospitals, banks, and universities. In these environments, PostgreSQL is often the database choice due to open-source licensing and compliance with internal policies. The combination of anonymous access enabled by platform design and the complete absence of authentication as an exploitation requirement creates a vector that is directly accessible through large-scale automated scans.
Drupal instances hosted in managed databases such as Amazon RDS for PostgreSQL, Google Cloud SQL, or Azure Database for PostgreSQL are equally vulnerable: the flaw lies in the Drupal application code, not in the managed database infrastructure layer. The presence of aggressive caching modules like Varnish or Redis may temporarily obscure the exposure but does not prevent direct exploitation of the vulnerable API endpoints.
Vulnerability management teams should treat CVE-2026-9082 as a top priority while conducting an inventory of Drupal instances using PostgreSQL. The score of 20/25 exceeds the threshold that most organisations use to trigger emergency maintenance windows outside the regular patching cycle.
The disclosure of this vulnerability comes in the same week that the TeamPCP group compromised approximately 3,800 internal GitHub repositories via a tampered Visual Studio Code extension. Both incidents illustrate the same thesis of risk: the software supply chain, from the development tool to the production CMS, remains the vector of greatest impact and least visibility in corporate security strategies.