Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Summary

Drupal released security updates addressing CVE-2026-9082, a highly critical flaw in the database abstraction API that allows anonymous attackers to perform SQL injection attacks on PostgreSQL-backed sites, potentially leading to remote code execution, privilege escalation, or information disclosure. The vulnerability affects Drupal versions 10.4 through 11.3, with patches available for supported branches and manual patches for end-of-life versions 8 and 9. Proof-of-concept code has been publicly released by Searchlight Cyber researchers.

Full text

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks Ravie LakshmananMay 21, 2026Web Security / Vulnerability Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is used in Drupal Core to validate queries and ensure they are sanitized against SQL injection attacks. "A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases," it said. "This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks." Drupal noted the security flaw can be exploited by anonymous users, and impacts only sites that use PostgreSQL. The following versions address the issue - Drupal 11.3.10 Drupal 11.2.12 Drupal 11.1.10 Drupal 10.6.9 Drupal 10.5.10 Drupal 10.4.10 Drupal 7 isn't affected. The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed. As previously disclosed by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life - Drupal 9.5 Drupal 8.9 "Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage," Drupal said. "Drupal 8 and Drupal 9 have both reached end-of-life. "Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities." Update Searchlight Cyber has released two working proof-of-concept (PoC) code for CVE-2026-9082, stating the vulnerability can be exploited by anonymous users on any deployment that backs Drupal with PostgreSQL. "Both are gated on PostgreSQL being the database backend, so MySQL and SQLite installs are not exploitable through these paths," researchers Patrik Grobshäuser, Kevin Gervot, and Tomais Williamson said. "The upgrade is still worth picking up on those installs for the bundled Symfony and Twig advisories that the same Drupal release carries." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, Drupal, PostgreSQL, privilege escalation, remote code execution, Symfony, Vulnerability ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure

Indicators of Compromise

• cve — CVE-2026-9082

Entities