Drupal SA-CORE-2026-004: Highly Critical Unauthenticated SQL Injection Hits PostgreSQL Sites

Drupal does not pre-announce its security releases. When the Security Team posts an advance public service announcement two days before a patch — as it did with PSA-2026-05-18 — that is the signal. The patch that dropped during the May 20 release window, between 17:00 and 21:00 UTC, fixes a vulnerability the team rated 20 out of 25 on its own risk scale: an unauthenticated SQL injection sitting in the one layer of Drupal that is supposed to make SQL injection impossible.

What happened

CVE-2026-9082, disclosed under SA-CORE-2026-004, is a flaw in Drupal’s database abstraction API. That API is the safety net: it sits between application code and the database and parameterizes queries so that attacker-controlled input cannot break out of its quoting and execute as SQL. The bug means a specially crafted HTTP request slips past that sanitization entirely, and arbitrary SQL runs directly against the backend.

Drupal’s scoring breakdown is what makes this a drop-everything item. Access complexity: none. Authentication required: none. Confidentiality and integrity impact: full. In plain terms, an anonymous attacker who can reach the site over HTTP can read every row in the database and modify anything in it — no account, no privileged role, no foothold required.

The one mitigating factor

CVE-2026-9082 only affects Drupal sites running on PostgreSQL. Installations backed by MySQL or MariaDB are not vulnerable to this specific injection. That narrows the blast radius, but not as much as it sounds: PostgreSQL is common in exactly the deployments that hurt most when they fall — government portals, university sites, large media properties, and enterprise installs that chose Postgres for performance, JSON handling, or compliance reasons.

If you do not know which database your Drupal site uses, check settings.php or the Reports -> Status report page before assuming you are clear.

It is not just the SQL injection

The May 20 releases bundle upstream security fixes for Symfony and Twig, the PHP components Drupal depends on. Drupal’s advisory is explicit that depending on your configuration and contributed modules, your site may be independently vulnerable to those upstream issues — even on a MySQL backend. Treat this as an all-sites update, not a PostgreSQL-only one.

The advisory also flags Twig template injection as a compounding risk: review which user roles can edit Twig templates, including indirectly through Views or contributed modules. A Twig SSTI path chained with this release’s other fixes is how a “moderate” finding becomes a server takeover.

Impact

Successful exploitation of CVE-2026-9082 ranges from data exfiltration — user records, hashed credentials, private content, session data — through privilege escalation, and in some configurations to remote code execution and full server compromise. The Security Team’s own warning is blunt: “exploits might be developed within hours or days” of the advisory going public. With the technical details now disclosed and the diff in patched releases publicly visible, treat working exploit code as a near-term certainty.

What to do right now

Update to a patched release immediately:

• Drupal 11: 11.3.10, 11.2.12, or 11.1.10
• Drupal 10: 10.6.9, 10.5.10, or 10.4.10

The Security Team also issued best-effort patches for end-of-life Drupal 8.9 and 9.5 given the severity. Those must be applied manually and carry no guarantees — and those sites remain exposed to every other unpatched flaw since EOL. If you are still on Drupal 8 or 9, this is your prompt to plan a real migration.

Sites behind Drupal Steward, the project’s WAF-based mitigation service, are shielded from known attack vectors as of the release, but should still patch — Steward blocks known patterns, not the underlying flaw.

If you cannot patch within hours, the interim steps are: put a WAF rule in front of the site, restrict anonymous traffic where feasible, and audit PostgreSQL logs for anomalous queries. After patching, assume nothing — rotate credentials, invalidate sessions, and review database contents and logs for signs the window between disclosure and your update was used against you.

Refer to the official advisory at drupal.org/sa-core-2026-004 and the advance notice PSA-2026-05-18 for the authoritative version list.