A highly critical SQL injection vulnerability in Drupal Core’s database abstraction API, tracked as CVE-2026-9082, is now being actively exploited in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities (KEV) catalog with a mandatory patch deadline of May 27, 2026.
CVE-2026-9082, also identified as Drupal Security Advisory SA-CORE-2026-004, is a SQL injection flaw rooted in Drupal Core’s database abstraction API, the engine responsible for sanitizing and validating all database queries before they reach the backend.
The root cause, as detailed by security researchers, lies in the PostgreSQL EntityQuery condition handler, where associative array keys passed via HTTP requests are concatenated directly into SQL placeholder identifiers without proper sanitization or canonicalization.
This means an unauthenticated remote attacker can craft a malicious HTTP request that injects arbitrary SQL commands into a vulnerable PostgreSQL-backed Drupal site.
CVE-2026-9082: Drupal SQL Injection Vulnerability
The flaw is classified under CWE-89 (Improper Neutralization of Special Elements Used in an SQL Command). It carries a CVSSv3 score of 6.5, though Drupal’s own internal risk scoring system rates it 20/25 “Highly Critical” reflecting the real-world risk of full data compromise.
Drupal’s advisory explicitly states that the confidentiality impact includes “all non-public data accessible,” and the integrity impact covers “all data modifiable or deletable.”
The vulnerability specifically targets Drupal installations using PostgreSQL as the database backend. Sites running MySQL, MariaDB, or SQLite are not affected. Drupal 7.x is also unaffected.
| Affected Version Range | Fixed Version |
|---|---|
| Drupal 11.3.0 – 11.3.9 | 11.3.10 |
| Drupal 11.2.0 – 11.2.11 | 11.2.12 |
| Drupal 11.0.0 – 11.1.9 | 11.1.10 (EOL, exceptional release) |
| Drupal 10.6.0 – 10.6.8 | 10.6.9 |
| Drupal 10.5.0 – 10.5.9 | 10.5.10 |
| Drupal 10.4.0 – 10.4.9 | 10.4.10 (EOL, exceptional release) |
| Drupal 8.9 / 9.5 | Hotfix patch files only |
At the code level, the vulnerability lives inside pgsql/src/EntityQuery/Condition.php the PostgreSQL-specific entity query condition handler. The flaw is triggered when:
- Attacker-controlled input reaches an entity query condition
- The condition value is an associative array
- The field comparison is case-insensitive
In this code path, the array keys are not discarded before SQL generation; they are directly used as placeholder identifiers in the generated SQL string. The official patch neutralizes the vulnerability by calling array_values() on attacker-supplied arrays before SQL generation, effectively stripping malicious keys and preventing injection.
Sites that expose JSON: API, Views, or related routing modules are particularly at risk, as these surfaces commonly pass user-controlled array structures to the entity query subsystem.
Initially disclosed on May 20, 2026, Drupal’s advisory classified the exploit status as “Theoretical” at the time of release. However, within just 48 hours, active exploitation attempts were detected in the wild, prompting Drupal to update its risk score on May 22, 2026, at 04:30 UTC.
CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV) catalog on May 22, 2026, assigning a compliance due date of May 27, 2026, for federal agencies and organizations operating under Binding Operational Directive (BOD) 22-01.
Successful exploitation of CVE-2026-9082 can result in:
- Information disclosure — unauthorized read access to all non-public database records
- Data manipulation — modification or deletion of database content
- Privilege escalation — elevation of attacker permissions within the CMS
- Remote code execution (RCE) — achievable in certain server configurations, depending on database permissions
The risk is amplified by the fact that no authentication is required to exploit the vulnerability; any anonymous user capable of sending an HTTP request can attempt to exploit a publicly accessible, unpatched PostgreSQL-backed Drupal site.
Mitigation
Organizations must treat this vulnerability with the highest urgency. Recommended actions include:
- Update immediately to the patched version corresponding to your Drupal branch
- Confirm your database backend if running MySQL, MariaDB, or SQLite, you are not exposed
- Apply hotfix patches if your site runs the EOL Drupal 8.9 or 9.5 branches and cannot upgrade
- Enable WAF SQL injection rules – WAF providers such as Akamai offer SQL injection risk group rules in block/deny mode that provide immediate protection.
- Follow CISA BOD 22-01 guidance, federal and government agencies must patch by May 27, 2026
- Audit JSON: API and Views modules – these are the primary attack surfaces that pass user-controlled input to the vulnerable query handler.
- Discontinue use of the affected product if mitigations cannot be applied within the required timeframe, per CISA guidance.
FAQ
Q1. Does CVE-2026-9082 affect all Drupal sites?
Not only are Drupal Core installations using a PostgreSQL database backend vulnerable, but MySQL, MariaDB, and SQLite sites are also not affected, nor are Drupal 7 sites.
Q2. Do attackers need a valid login to exploit this vulnerability?
CVE-2026-9082 is exploitable by unauthenticated, anonymous remote attackers without any user credentials.
Q3. What is the CISA patch deadline for CVE-2026-9082?
CISA’s KEV catalog mandates that affected federal organizations patch by May 27, 2026, to comply with BOD 22-01.
Q4. What is the official patch for CVE-2026-9082?
The official fix applies array_values() to attacker-supplied arrays in the PostgreSQL EntityQuery condition handler before SQL generation, stripping malicious keys.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
