Drupal SA-CORE-2026-004: Highly Critical SQL Injection CVE-2026-9082 — PostgreSQL Sites Must Patch Immediately

Drupal published emergency security advisory SA-CORE-2026-004 on 20 May, disclosing CVE-2026-9082, a SQL injection vulnerability in Drupal’s database abstraction layer that affects all Drupal sites configured to use PostgreSQL as the database backend. The advisory was rated “Highly Critical” on Drupal’s own risk scoring scale (20/25) — the same rating assigned to major historical Drupal vulnerabilities that attracted mass exploitation within hours.

Drupal explicitly warned in the advisory that the vulnerability is of a class that typically sees exploit code developed rapidly, and that sites should be patched as a priority without waiting for a maintenance window.

Vulnerability Details

The SQL injection vulnerability exists in Drupal core’s database abstraction API — the layer that processes all database queries across Drupal core and contributed modules. A flaw in how the API sanitises certain query parameters allows an unauthenticated attacker to inject arbitrary SQL into database queries.

The vulnerability is zero-click from the attacker’s perspective: no user interaction is required beyond sending a specially crafted HTTP request to the affected Drupal site. The impact includes database read access (all site content, user credentials, configuration), database write access (content injection, user account creation or privilege escalation), and in some PostgreSQL configurations where the database user has sufficient privileges, OS command execution via PostgreSQL’s COPY TO/FROM PROGRAM function.

Scope: Only PostgreSQL backends are affected. Drupal sites using MySQL, MariaDB, or SQLite are not vulnerable to this specific CVE, though the advisory recommends all Drupal sites update to the patched version as a precaution.

Affected versions: Drupal 10.x prior to 10.4.8, Drupal 11.x prior to 11.1.12. Drupal 9.x is end-of-life and has not received a fix; EoL sites should be treated as permanently exposed.

Patch Availability

Drupal released patched versions (10.4.8 and 11.1.12) on 20 May alongside the advisory. The patch is available through standard Drupal update mechanisms (drush updb, Composer update, or the administrative update interface).

The Drupal Security Team recommends applying the update outside of normal maintenance windows given the severity and expected rapid exploitation. The advisory was published in Drupal’s coordinated release format, which typically involves pre-notification to major hosting providers.

Immediate Actions for Drupal Administrators

Identify PostgreSQL-backed Drupal sites: Review your Drupal estate to identify sites using PostgreSQL. In Drupal’s settings.php, the database driver is specified in the $databases array — look for 'driver' => 'pgsql'.

Apply the update immediately: Run the update on all PostgreSQL-backed Drupal sites. The update process:

composer require 'drupal/core-recommended:~10.4.8'
drush updb
drush cr

For Drupal sites managed through hosting control panels (Acquia, Pantheon, Platform.sh), check vendor-specific guidance — some providers have applied server-side mitigations pending customer-managed updates.

If immediate patching is not possible: Temporarily disable public access to affected sites or restrict access to authenticated users only via IP allowlisting, until patching can be completed.

Scan for exploitation indicators: Review web server access logs for unusual database-error responses and unexpected user account creation in the Drupal user registry (Admin → People). SQL injection exploitation against Drupal often precedes automated account creation to maintain persistent administrative access.

Drupal’s Historical Exploitation Pattern

Drupal “Highly Critical” advisories have a consistent exploitation history. Drupalgeddon (SA-CORE-2014-005) saw mass automated exploitation within 7 hours of advisory publication in 2014. Drupalgeddon2 (SA-CORE-2018-002) had automated exploit code published within hours and active exploitation within days in 2018. The Drupal Security Team’s warning about rapid exploit development is not precautionary — it reflects documented institutional knowledge of how the attacker community responds to Drupal critical advisories.