Exploited in the Wild: Critical Drupal SQL Injection (CVE-2026-9082) Grants Attacker Root Access

The Drupal Security Team has released an urgent advisory detailing a highly critical vulnerability lurking within the platform’s core database abstraction abstraction interface. Tracked under the security advisory identifier SA-CORE-2026-004 and assigned CVE-2026-9082, the security flaw fundamentally threatens enterprise content management systems running a specific database configuration.

Because the vulnerability can be fully weaponized remotely without requiring standard account authentication, organizations leveraging the impacted architecture are strongly urged to patch their systems immediately to prevent absolute server compromise.

Drupal core relies on a robust database abstraction API specifically engineered to ensure that any structured query executed against the backend database engine is properly stripped, parameterized, and sanitized. This sanitization abstraction layer serves as a primary line of defense against traditional SQL injection (SQLi) attacks.

The security breakdown occurs directly within this database API. Due to a processing logic failure, an attacker can submit specially crafted HTTP requests that slip completely past the sanitization constraints.

Crucially, the threat landscape for this bug carries a unique environmental restriction: this specific arbitrary SQL injection vulnerability only affects Drupal websites utilizing a PostgreSQL database backend. While sites operating on MySQL, MariaDB, or SQLite are insulated from the direct SQLi injection payload path, the platform’s maintainers emphasize that the update should not be ignored by other environments.

Because a remote, unauthenticated anonymous user can trigger the vulnerability without entering a single valid username or password, the threat risk profile is exceptionally high.

Once an anonymous attacker successfully forces the database API into executing raw SQL instructions, the compromise path can rapidly escalate across multiple domains depending on the underlying database privileges:

• Information Disclosure: Attackers can read sensitive backend tables, dumping cleartext user attributes, site configurations, and proprietary database content.
• Privilege Escalation: By injecting commands into core authorization maps, attackers can instantly elevate standard or anonymous web sessions to full administrative status.
• Remote Code Execution (RCE): Under specific administrative PostgreSQL environments, malicious actors can leverage advanced database functions to break out of the database wrapper entirely, achieving full execution rights over the host operating system.

The security release is a compounded update cycle. Coordinated alongside major upstream maintenance notifications, the new Drupal releases for all supported major branches—encompassing versions 11.3, 11.2, 10.6, and 10.5—bundle critical third-party dependency patches.

Specifically, the updates integrate urgent, coordinated security fixes from the Symfony and Twig open-source projects. Because multiple core components inside Drupal rely deeply on these upstream dependencies, certain site configurations may be independently vulnerable to severe flaws within those template and framework engines.

Consequently, administrators must treat this rollout as mandatory, regardless of their database choice:

“Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not.”

Additionally, security teams are highly advised to perform an immediate access control audit to review exactly which internal user roles hold permissions to modify or update active Twig templates, paying special attention to configurations handled via the Views module or custom contributed extensions.

The Drupal development team has made official security releases available across all active lines. Because older legacy release branches like Drupal 11.1.x, Drupal 11.0.x, and Drupal 10.4.x are officially end-of-life (EOL) and no longer receive automated security packaging, teams running these systems must immediately migrate to a supported branch to close the exposure window.

Administrators should apply the following updates immediately based on their active environment:

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.10.
• If you use Drupal 11.2.x, update to Drupal 11.2.12.
• If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10.

Drupal 10

• If you use Drupal 10.6.x, update to Drupal 10.6.9.
• If you use Drupal 10.5.x, update to Drupal 10.5.10.
• If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10.

Drupal 9 and 8

• If you use any version of Drupal 9, try manually applying the Drupal 9.5 patch for this issue.
• If you use Drupal 8.9, try manually applying the Drupal 8.9 patch for this issue.

Update:

Drupal has updated the advisory to warn that This vulnerability has been exploited in the wild. Also, the CVSS score is 9.1.