Drupal has announced critical security updates addressing a significant vulnerability in Drupal Core, identified as CVE-2026-9082. This vulnerability poses a serious risk, allowing attackers to potentially execute remote code, escalate privileges, or disclose sensitive information. With a CVSS score of 6.5 out of 10.0, the flaw is particularly concerning for users of PostgreSQL databases.
Details of the Vulnerability
The vulnerability is rooted in a database abstraction API utilized by Drupal Core for query validation and SQL injection prevention. According to Drupal, “A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases.” The implications of this flaw could lead to significant security breaches, including unauthorized access and data leaks.
Importantly, the vulnerability can be exploited by anonymous users, affecting only those sites that utilize PostgreSQL. To mitigate this risk, Drupal has released updates for the following versions:
- Drupal 11.3.10
- Drupal 11.2.12
- Drupal 11.1.10
- Drupal 10.6.9
- Drupal 10.5.10
- Drupal 10.4.10
Notably, Drupal 7 is not impacted by this vulnerability. The updates for the supported branches (versions 11.3, 11.2, 10.6, and 10.5) also incorporate upstream security updates for Symfony and Twig, underscoring the importance of maintaining the latest versions.
Support for Older Versions
For users still operating on Drupal versions 9 and 8, which have reached their end-of-life, manual patches have been made available:
- Drupal 9.5
- Drupal 8.9
Drupal has clarified that “Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage.” Furthermore, both Drupal 8 and Drupal 9 have reached their end-of-life status. Given the severity of this issue, the patches for unsupported versions are provided as a best effort, but users should be aware that these versions may still harbor other previously disclosed vulnerabilities.
