Drupal SQL Injection VulnerabilityCVE-2026-9082 is a highly critical SQL injection vulner 2026-5-21 20:53:27 Author: horizon3.ai(查看原文) 阅读量:32 收藏
Drupal SQL Injection Vulnerability
CVE-2026-9082 is a highly critical SQL injection vulnerability affecting Drupal core sites configured to use PostgreSQL as the backend database. The vulnerability exists in Drupal’s database abstraction API, where specially crafted requests can bypass query sanitization and result in arbitrary SQL injection. The issue is reachable by anonymous users and requires no authentication or prior privileges. Drupal rates the issue as “Highly Critical,” with a 20 out of 25 security risk score. The vulnerability is rated as Critical (CVSS 9.8).
Technical Details
Drupal is an open-source content management system used to build and operate websites, intranets, and digital experience platforms across government, higher education, media, and enterprise environments.
In affected deployments, Drupal core’s database abstraction API fails to properly sanitize certain crafted requests when the site uses PostgreSQL. Successful exploitation enables arbitrary SQL execution against the Drupal site database. Potential outcomes include credential exposure, unauthorized data access, privilege escalation, database manipulation, and possible remote code execution paths depending on site configuration and connected services.
The vulnerability affects PostgreSQL-backed Drupal deployments only.
NodeZero® Proactive Security Platform — Rapid Response
A NodeZero Rapid Response test has been developed to safely validate whether this SQL injection vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.
Re-run the test: Confirm the vulnerability is no longer exploitable after remediation
Run the Rapid Response test: Launch from the NodeZero platform to determine whether affected Drupal instances using PostgreSQL are exploitable
Patch immediately: Upgrade Drupal core to a fixed release based on your supported branch
Stop Guessing, Start Proving
Affected versions & patch
Affected:
- Drupal 8.9.0 through 10.4.9
- Drupal 10.5.0 through 10.5.9
- Drupal 10.6.0 through 10.6.8
- Drupal 11.0.0 through 11.1.9
- Drupal 11.2.0 through 11.2.11
- Drupal 11.3.0 through 11.3.9
- Drupal deployments configured to use PostgreSQL
Not affected:
- Drupal sites using MySQL, MariaDB, or SQLite
Patch:
- Upgrade to Drupal 11.3.10 or later
- Upgrade to Drupal 11.2.12 or later
- Upgrade to Drupal 11.1.10 or later
- Upgrade to Drupal 10.6.9 or later
- Upgrade to Drupal 10.5.10 or later
- Upgrade to Drupal 10.4.10 or later
For unsupported Drupal 8 or 9 deployments, apply the manually distributed security patches from the Drupal Security Team and migrate to a supported branch as soon as possible
Timeline
- May 18, 2026 – Drupal issued advance notice of an upcoming highly critical core security release.
- May 20, 2026 – Drupal published SA-CORE-2026-004 for CVE-2026-9082.
- May 21, 2026 – Public reporting highlighted the risk to PostgreSQL-backed Drupal sites.
References
Read about other CVEs
NodeZero® Platform
Implement a continuous find, fix, and verify loop with NodeZero
The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Recognized By
如有侵权请联系:admin#unsafe.sh