Skip to main content
CybersecurityVulnerability Management

Drupal Flaw Exposes PostgreSQL Sites to Remote Code Execution Attacks

Rows of computer servers and storage devices in a brightly-lit server room with a single terminal in the foreground.

"A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases," Drupal warned.

CVE-2026-9082: what the advisory says and its measured severity

Drupal has published security updates for a "highly critical" flaw in Drupal Core now tracked as CVE-2026-9082. The entry on CVE.org assigns the issue a CVSS score of 6.5 out of 10.0. According to Drupal, the flaw resides in a database abstraction API that Drupal Core uses to validate queries and ensure they are sanitized against SQL injection attacks.

How the bug operates against PostgreSQL-backed sites

Drupal's advisory states the vulnerability allows an attacker to send specially crafted requests that result in arbitrary SQL injection on sites using PostgreSQL databases. That, Drupal says, "can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks." The advisory notes this attack path is specific to sites that run with PostgreSQL as the underlying database.

Scope: anonymous attackers, affected versions, and exclusions

Drupal explicitly warns the flaw can be exploited by anonymous users. The releases that address the issue are:

  • Drupal 11.3.10
  • Drupal 11.2.12
  • Drupal 11.1.10
  • Drupal 10.6.9
  • Drupal 10.5.10
  • Drupal 10.4.10

Drupal 7 is not affected, the advisory says. For end-of-life branches, Drupal also released manual patches: Drupal 9.5 and Drupal 8.9.

Supported branches, Symfony and Twig updates, and end-of-life constraints

Drupal notes that the releases for supported branches (11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, and says it is essential that the latest versions be installed. The vendor also flags that Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. Drupal added that "Drupal 8 and Drupal 9 have both reached end-of-life."

Because of the issue's severity, Drupal provided unsupported releases and patches for unsupported versions as a best effort, and cautioned these unsupported versions "will still have other, previously disclosed security vulnerabilities."

What this means for technologists and security teams, affected enterprises and procurement leaders, and end users

  • Technologists and security teams: Teams running Drupal with PostgreSQL should prioritize installing the listed updates (for example, 11.3.10, 10.6.9, or the matching patch for their branch) because the vulnerability permits arbitrary SQL injection via crafted requests and can be triggered by anonymous actors. The advisory also highlights the need to take upstream Symfony and Twig updates included in supported-branch releases.
  • Affected enterprises and procurement leaders: Organizations using end-of-life Drupal branches should note that manual patches for Drupal 9.5 and 8.9 are provided only as a best effort and that those releases "will still have other, previously disclosed security vulnerabilities." Procurement and risk owners should treat unsupported branches as carrying residual, unmitigated exposure unless they migrate to supported releases.
  • End users and the general public: Sites using PostgreSQL-backed Drupal instances may be at risk of information disclosure or more severe outcomes (privilege escalation or remote code execution) if operators do not apply the vendor-provided updates or accepted patches.

Drupal's advisory frames a concrete, version-specific remediation path and an explicit warning about unsupported releases. The immediate action for operators is unambiguous: for PostgreSQL-backed sites running affected branches, install the vendor fixes listed for your release line or apply the manual patch for an end-of-life branch; recognize that end-of-life branches remain exposed to other known vulnerabilities even after this patch.

Original story