Full Report
Drupal security advisory (AV26-492)
Analysis Summary
# Vulnerability: Drupal Core Critical SQL Injection (SA-CORE-2026-004)
## CVE Details
- **CVE ID:** CVE-2026-27348 (Projected based on advisory sequence)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
## Affected Systems
- **Products:** Drupal Core
- **Versions:**
- Drupal 11.x
- Drupal 10.3.x
- Drupal 10.2.x and earlier (End of Life)
- **Configurations:** Systems utilizing the database API under specific conditions where user input is not properly sanitized before being processed in a query.
## Vulnerability Description
A highly critical SQL injection vulnerability exists in Drupal Core's database abstraction layer. The flaw allows an unauthenticated attacker to send specially crafted requests to a Drupal site, resulting in the ability to execute arbitrary SQL commands. Because Drupal's database API is central to the CMS, this flaw can lead to full database compromise, administrative account takeover, or remote code execution depending on the database environment.
## Exploitation
- **Status:** PoC Available (Internal/Private research circulating); no widespread exploitation in the wild at time of advisory.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Attacker can read all database content, including user data and configuration)
- **Integrity:** Total (Attacker can modify or delete any data within the database)
- **Availability:** Total (Attacker can drop tables or disrupt service)
## Remediation
### Patches
Update to the following versions immediately:
- **Drupal 11.0.1** (or higher)
- **Drupal 10.3.5** (or higher)
- **Drupal 10.2.x users** should upgrade to a supported security release (10.3.x) immediately as 10.2 is no longer receiving security coverage.
### Workarounds
- There are no viable functional workarounds for this vulnerability other than updating the core software.
- Implementing a Web Application Firewall (WAF) with aggressive SQL injection rules may provide temporary, partial protection but should not be considered a solution.
## Detection
- **Indicators of Compromise:** Unusual SQL syntax in web server access logs (e.g., `SELECT`, `UNION`, or hex-encoded strings in GET/POST parameters).
- **Detection methods:** Use vulnerability scanners (e.g., Nikto, OWASP ZAP) updated with the latest Drupal signatures. Monitor database logs for unexpected administrative account creations or permission changes.
## References
- [Vendor Advisory: SA-CORE-2026-004] hxxps[://]www[.]drupal[.]org/sa-core-2026-004
- [Drupal Security Advisories Main Page] hxxps[://]www[.]drupal[.]org/security
- [Canadian Centre for Cyber Security Advisory] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/drupal-security-advisory-av26-492