Drupal has released security updates for a “highly critical” security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure.
The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is used in Drupal Core to validate queries and ensure they are sanitized against SQL injection attacks.
“A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases,” it said. “This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.”
Drupal noted the security flaw can be exploited by anonymous users, and impacts only sites that use PostgreSQL. The following versions address the issue –
- Drupal 11.3.10
- Drupal 11.2.12
- Drupal 11.1.10
- Drupal 10.6.9
- Drupal 10.5.10
- Drupal 10.4.10
Drupal 7 isn’t affected. The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed.
As previously disclosed by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life –
“Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage,” Drupal said. “Drupal 8 and Drupal 9 have both reached end-of-life.
“Due to this issue’s severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.”
Update
Searchlight Cyber has released two working proof-of-concept (PoC) code for CVE-2026-9082, stating the vulnerability can be exploited by anonymous users on any deployment that backs Drupal with PostgreSQL.
“Both are gated on PostgreSQL being the database backend, so MySQL and SQLite installs are not exploitable through these paths,” researchers Patrik Grobshäuser, Kevin Gervot, and Tomais Williamson said. “The upgrade is still worth picking up on those installs for the bundled Symfony and Twig advisories that the same Drupal release carries.”
