Critical Drupal Core Vulnerability Exposes Websites to Attacks

The Drupal Security Team has officially released SA-CORE-2026-004, patching a highly critical SQL injection vulnerability (CVE-2026-9082) that affects Drupal core’s database abstraction API across nearly all supported and legacy versions.

Rated 20 out of 25 on Drupal’s severity scale with the attack vector profile AC:None/A:None/CI:All/II:All/E:Theoretical/TD: Uncommon, the flaw requires zero authentication to exploit and can expose the full confidentiality and integrity of site data.

Drupal core’s database abstraction API sanitizes all queries before execution to prevent SQL injection.

CVE-2026-9082 breaks this protection, allowing an attacker to send specially crafted HTTP requests that bypass the abstraction layer and deliver raw, malicious SQL directly to the PostgreSQL backend, said Drupal.

Successful exploitation can lead to information disclosure, privilege escalation, and, in certain configurations, remote code execution.

Only sites using PostgreSQL databases are directly affected by the core SQL injection vector. However, MySQL-backed sites should still apply updates, as the bundled Symfony and Twig dependency patches are included in the same release.

Affected Versions

All currently supported Drupal core branches 11.3.x, 11.2.x, 10.6.x, and 10.5.x receives official security releases fixing this issue.

End-of-life minor versions, including 11.1.x and 10.4.x and earlier, receive best-effort releases at versions 11.1.10 and 10.4.10, respectively, though the Drupal Security Team does not guarantee these are regression-free.

Sites still running Drupal 8.9.x or 9.5.x both fully end-of-life major versions will only receive manual patch files that must be applied without automated tooling, with no guarantee of stability. Drupal 7 is not affected by this vulnerability.

While CVE-2026-9082 originates in Drupal core, the Drupal Security Team confirmed that Drupal CMS environments are also potentially vulnerable because they bundle Drupal core as a dependency.

The patch can be installed in minutes without taking the site offline, removing any friction barrier to immediate remediation, Drupal said.

Sites enrolled in Drupal Steward, the platform-level WAF service, are already protected against known attack vectors. However, the Security Team still urges upgrading, as new exploit vectors may emerge after public patch disclosure.

Mitigation:

Security teams and administrators should act on the following without delay:

• Update supported branches immediately to 11.3.10, 11.2.12, 10.6.9, or 10.5.10 depending on your installation
• Sites on EOL minor branches should update to 11.1.10 or 10.4.10 as an interim measure and plan migration to 11.3 or 10.6
• Sites on Drupal 8 or 9 should manually apply the provided patch files and immediately begin migration to a supported release.
• Enable WAF protections and monitor for anomalous traffic patterns, as active exploits could appear within hours of patch publication.
• Drupal 8 and 9 legacy sites carry multiple previously unpatched CVEs, including SA-CORE-2026-001 and SA-CORE-2026-002, that no patch file will address

This disclosure is the fourth Drupal core security advisory in 2026, following SA-CORE-2026-001 (CVE-2026-6365, jQuery XSS), SA-CORE-2026-002 (CVE-2026-6366, Gadget Chain), and SA-CORE-2026-003 (CVE-2026-6367, CKEditor XSS), all published in April 2026.

The accelerating pace of vulnerability discovery in the Drupal ecosystem underscores the urgency of maintaining up-to-date installations, particularly for enterprise, government, and educational deployments where Drupal powers mission-critical portals.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Critical Drupal Core Vulnerability Exposes Websites to Attacks appeared first on Cyber Security News.