Critical Unauthenticated SQLi Flaw in Drupal Core Hits PostgreSQL Sites

Executive Summary

The Drupal project has released security advisory SA-CORE-2026-004 to address a highly critical SQL injection (SQLi) vulnerability, CVE-2026-9082. This flaw specifically affects Drupal Core sites that are configured with a PostgreSQL database. The vulnerability is especially severe as it can be exploited by an unauthenticated, anonymous attacker, posing an immediate and significant risk to exposed websites. Exploitation can allow an attacker to read, modify, or delete sensitive data; escalate their privileges; and in some configurations, achieve remote code execution (RCE). Due to the low complexity and lack of authentication required, administrators of affected sites are strongly advised to apply the provided patches without delay.

Vulnerability Details

The vulnerability is a classic SQL injection flaw resulting from improper input sanitization in a specific part of Drupal's database abstraction API.

Technical Analysis

CVE ID: CVE-2026-9082
Vulnerability Type: SQL Injection
Attack Vector: Remote (Network)
Authentication: Not required (Anonymous)
Complexity: Low

The flaw exists in how Drupal's database abstraction layer processes certain queries for the PostgreSQL driver. A specially crafted request can bypass the API's query sanitization logic. This allows an attacker to inject arbitrary SQL commands into the backend database query. This is a classic example of T1190 - Exploit Public-Facing Application.

Because the attacker can control the SQL queries executed on the database, they can perform a range of malicious actions:

Data Disclosure: Dump the contents of any table in the database, including user tables with hashed passwords, personal information, and site content.
Privilege Escalation: Modify their user account data in the database to grant themselves administrative privileges.
Remote Code Execution (RCE): In some PostgreSQL configurations that allow for the execution of system commands from within SQL queries, an attacker could potentially escalate from SQL injection to full RCE on the server.

Affected Systems

The vulnerability affects the following versions of Drupal Core only when used with a PostgreSQL database:

Drupal versions prior to 11.3.10
Drupal versions prior to 10.6.9
And other older, specified versions (11.2.12, 11.1.10, 10.5.10, 10.4.10)

Important: Sites using other databases such as MySQL or MariaDB are not vulnerable to this specific SQL injection path. However, the security updates contain other fixes, and updating is still recommended.

Exploitation Status

As of the disclosure, there is no public proof-of-concept (PoC) exploit code, and there are no known indicators of active exploitation in the wild. However, given the criticality of the vulnerability and the detailed nature of security advisories, it is highly probable that threat actors will develop an exploit soon. Unauthenticated RCE vulnerabilities in popular CMS platforms are prime targets for automated scanning and mass exploitation.

Impact Assessment

For an organization running a public-facing Drupal site on PostgreSQL, the impact is critical. A successful exploit could lead to a complete compromise of the website and its data. This could result in:

A major data breach, exposing customer or user information.
Defacement of the website.
The web server being used to host malware or participate in a botnet.
Significant reputational damage and potential regulatory fines (e.g., under GDPR or CCPA).

Cyber Observables — Hunting Hints

Security teams can hunt for signs of attempted exploitation in their web server and database logs:

Type

URL Pattern

Value

Look for unusually long or complex URL query strings containing SQL keywords like SELECT, UNION, CAST, etc.

Description

These patterns in web server access logs can indicate SQLi attempts.

Type

Log Source

Value

PostgreSQL Query Logs

Description

If enabled, monitor database logs for malformed or suspicious queries originating from the web application user.

Type

Log Source

Value

Web Application Firewall (WAF) Logs

Description

WAF logs may show blocked attempts that match common SQLi signatures. A spike in these alerts could indicate mass scanning.

Remediation Steps

Immediate patching is the only effective solution.

Update Drupal Core: Administrators of affected sites must update to the latest secure version as specified in the SA-CORE-2026-004 advisory. The patched versions are:
- 11.3.10, 10.6.9, and others.
Verify the Update: After updating, clear all caches in Drupal and verify that the site is running the new version.
Workaround (Temporary): If patching is impossible, placing a Web Application Firewall (WAF) in front of the site with strong SQLi detection rules may offer some protection, but it should not be considered a substitute for patching the underlying vulnerability.
Review Logs: After patching, review web server and database logs for any signs of compromise that may have occurred before the patch was applied.

As a temporary, compensating control while patching is being organized, a Web Application Firewall (WAF) can provide a critical layer of defense. Configure your WAF with a strict ruleset for SQL injection detection, specifically tuned for PostgreSQL syntax if possible. This would involve looking for keywords like UNION, SELECT, pg_sleep, and other malicious SQL constructs within inbound HTTP requests. While a WAF is not foolproof and can be bypassed by sophisticated attackers, it is effective at blocking the wave of automated, low-effort scanning and exploitation attempts that typically follow a critical CMS vulnerability disclosure. This can buy the security team valuable time to apply the patch properly.

Critical SQL Injection Vulnerability (CVE-2026-9082) Disclosed in Drupal Core for PostgreSQL