Full Report
A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL.Key TakeawaysCVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core's database abstraction API that can be exploited by unauthenticated attackers on sites using PostgreSQL.No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.BackgroundOn May 20, Drupal published a security advisory (SA-CORE-2026-004) for a highly critical SQL injection vulnerability in Drupal core:CVEDescriptionCVSSv3CVE-2026-9082Drupal Core SQL Injection Vulnerability6.5The advisory was preceded by a public service announcement (PSA-2026-05-18) on May 18, which warned administrators to prepare for a highly critical release and cautioned that exploitation could occur "within hours or days" of disclosure.Drupal rates this vulnerability 20 out of 25 on its own risk scoring scale ("Highly Critical"), noting that the confidentiality impact includes "all non-public data accessible" and the integrity impact is "all data modifiable or deletable." NVD assigned a CVSSv3 score of 6.5, rating the confidentiality and integrity impacts as Low. Given the vendor's own characterization of impact and the unauthenticated attack vector, the Drupal risk rating better reflects the potential severity for affected configurations.AnalysisCVE-2026-9082 is an SQL injection vulnerability in Drupal core's database abstraction API, specifically in the PostgreSQL EntityQuery condition handler. An unauthenticated, remote attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable Drupal site running on PostgreSQL. Successful exploitation could lead to information disclosure, data modification or deletion, and in some configurations, privilege escalation or remote code execution.User-controlled PHP array keys could reach SQL placeholder construction unsanitized. Drupal fixed this by applying ‘array_values()’ which strips attacker-supplied keys and replaces them with numeric indexes.Scope: PostgreSQL onlyThis vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations.No exploitation observedAt the time this blog post was published on May 21, Drupal's advisory describes the exploit status as "Theoretical," and no in-the-wild exploitation has been reported.Historical exploitation of Drupal CoreDrupal core has a well-documented history of critical vulnerabilities that attracted rapid mass exploitation. CISA's Known Exploited Vulnerabilities (KEV) catalog contains four Drupal entries, two of which have confirmed ransomware use. The Drupalgeddon vulnerabilities (CVE-2018-7600 and CVE-2018-7602) in particular became a case study in how quickly attackers weaponize Drupal flaws once details are available.CVEDescriptionDate AddedTenable BlogsCVE-2018-7600Drupal Core Remote Code Execution (Drupalgeddon 2)2021-11-03Critical Drupal Core Vulnerability: What You Need to KnowCVE-2018-7602Drupal Core Remote Code Execution (Drupalgeddon 3)2022-04-13Drupalgeddon Attacks Continue on Sites Missing Security UpdatesCVE-2019-6340Drupal Core Arbitrary PHP Code Execution2022-03-25Highly Critical Drupal Security Advisory ReleasedCVE-2020-13671Drupal Core File Extension Sanitization2022-01-18--Proof of conceptOn the same day as the security release, a detection PoC and reproduction lab was published. The patch diff was also shared on social media within hours of the release.The minimal complexity of this patch, combined with the availability of AI-powered code analysis tools that can analyze diffs and assist in exploit development, compresses the timeline between patch release and weaponization. Historically, Drupal vulnerabilities of this severity have seen exploitation within hours to days of disclosure. Administrators running PostgreSQL-backed Drupal sites face a shortening window to apply patches before exploitation attempts begin.SolutionDrupal has released fixed versions across all currently supported branches, as well as exceptional releases for two end-of-life branches due to the severity of this vulnerability:Affected VersionsFixed VersionDrupal 11.3.0 - 11.3.911.3.10Drupal 11.2.0 - 11.2.1111.2.12Drupal 11.0.0 - 11.1.911.1.10 (EOL, exceptional release)Drupal 10.6.0 - 10.6.810.6.9Drupal 10.5.0 - 10.5.910.5.10Drupal 10.4.0 - 10.4.910.4.10 (EOL, exceptional release)Sites running Drupal 8.9 or 9.5 have reached end-of-life and will not receive packaged updates. However, Drupal has published hotfix files for sites running 9.5.11 or 8.9.20. Sites on Drupal 7 are not affected.Sites using Drupal Steward are protected against known attack vectors for this vulnerability.According to the security advisory, these releases also include coordinated upstream security updates for Symfony and Twig. These include separate vulnerabilities from CVE-2026-9082, but Drupal core is affected by some of them. Even sites not running PostgreSQL benefit from updating to these releases.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Drupal by using the following query: CMS contains Drupal. Get more informationDrupal Security Advisory SA-CORE-2026-004Drupal PSA-2026-05-18: Pre-release announcementJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Highly Critical Drupal Core SQL Injection (PostgreSQL)
## CVE Details
- **CVE ID:** CVE-2026-9082
- **CVSS Score:** 6.5 (Medium/NVD) / 20/25 (Highly Critical/Drupal Risk Rating)
- **CWE:** Not specified, but identified as SQL Injection in the database abstraction API.
## Affected Systems
- **Products:** Drupal Core
- **Versions:**
- 11.3.x (versions prior to 11.3.10)
- 11.2.x (versions prior to 11.2.12)
- 11.0.x and 11.1.x (versions prior to 11.1.10 - EOL Exceptional Release)
- 10.6.x (versions prior to 10.6.9)
- 10.5.x (versions prior to 10.5.10)
- 10.4.x (versions prior to 10.4.10 - EOL Exceptional Release)
- **Configurations:** This vulnerability specifically affects sites using **PostgreSQL** as the database backend. Sites using MySQL, MariaDB, or SQLite are not susceptible to this specific flaw.
## Vulnerability Description
The flaw resides in Drupal core’s database abstraction layer, specifically in the PostgreSQL `EntityQuery` condition handler. Attacker-controlled PHP array keys were being passed into SQL placeholder construction without proper sanitization. By supplying specially crafted array keys, an unauthenticated attacker can inject arbitrary SQL commands. The fix implements `array_values()` to strip user-supplied keys and replace them with safe numeric indexes.
## Exploitation
- **Status:** PoC Available (A detection PoC and reproduction lab were published on the same day as the advisory). No in-the-wild exploitation was observed at the time of publication, but weaponization is expected rapidly.
- **Complexity:** Low (Patch analysis via AI tools and available diffs compress the exploitation timeline).
- **Attack Vector:** Network (Remote, unauthenticated).
## Impact
- **Confidentiality:** High (All non-public data accessible).
- **Integrity:** High (All data modifiable or deletable).
- **Availability:** High (Data deletion can lead to service loss; RCE is possible in certain configurations).
## Remediation
### Patches
Update to the following versions immediately:
- **Drupal 11.3:** 11.3.10
- **Drupal 11.2:** 11.2.12
- **Drupal 11.1:** 11.1.10 (EOL release)
- **Drupal 10.6:** 10.6.9
- **Drupal 10.5:** 10.5.10
- **Drupal 10.4:** 10.4.10 (EOL release)
- **Drupal 8.9 / 9.5:** Apply manual hotfix files as no packaged updates exist for these EOL versions.
### Workarounds
- **Drupal Steward:** Sites protected by the Drupal Steward WAF service are mitigated against known attack vectors.
- **Upstream Updates:** Even sites not using PostgreSQL should update, as the releases include coordinated security fixes for Symfony and Twig.
## Detection
- **Indicators of Compromise:** Look for unusual PostgreSQL audit logs or errors involving `EntityQuery` calls with unexpected array keys.
- **Detection methods and tools:**
- Tenable plugins specifically for CVE-2026-9082.
- Tenable Attack Surface Management (Query: `CMS contains Drupal`).
## References
- **Vendor Advisory:** hxxps[://]www[.]drupal[.]org/sa-core-2026-004
- **Pre-release Announcement:** hxxps[://]www[.]drupal[.]org/psa-2026-05-18
- **Tenable Analysis:** hxxps[://]www[.]tenable[.]com/blog/cve-2026-9082-highly-critical-sql-injection-vulnerability-in-drupal-core-sa-core-2026-004