PT-2026-42228 · Postgresql Global Development Group+1 · Postgresql+1

Anna Kalata

+15

·

Published

2026-05-20

·

Updated

2026-06-21

·

CVE-2026-9082

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Drupal core versions 8.9.0 through 10.4.9 Drupal core versions 10.5.0 through 10.5.9 Drupal core versions 10.6.0 through 10.6.8 Drupal core versions 11.0.0 through 11.1.9 Drupal core versions 11.2.0 through 11.2.11 Drupal core versions 11.3.0 through 11.3.9
Description An unauthenticated SQL injection flaw exists in the database abstraction API of Drupal core, specifically within the PostgreSQL EntityQuery condition handler. The issue occurs because attacker-controlled PHP associative array keys are concatenated directly into SQL identifiers without proper sanitization or escaping. This allows remote anonymous users to execute arbitrary SQL commands on sites using PostgreSQL databases. Successful exploitation can lead to full database access, exfiltration of sensitive data such as session tokens and password hashes, privilege escalation to Administrator, and potentially remote code execution (RCE) if database permissions are misconfigured (e.g., allowing COPY FROM PROGRAM).
Real-world exploitation is active, with over 15,000 attack probes detected against approximately 6,000 sites across 65 countries, primarily targeting gaming and financial services. The vulnerability is triggered via crafted array keys in JSON:API URLs, specifically using the filter[...][condition][value][malicious key] structure.
Recommendations Update to version 10.4.10 for versions 8.9.0 through 10.4.9. Update to version 10.5.10 for versions 10.5.0 through 10.5.9. Update to version 10.6.9 for versions 10.6.0 through 10.6.8. Update to version 11.1.10 for versions 11.0.0 through 11.1.9. Update to version 11.2.12 for versions 11.2.0 through 11.2.11. Update to version 11.3.10 for versions 11.3.0 through 11.3.9. Restrict user roles that have the ability to update Twig templates via Views or contributed modules. As a temporary mitigation, route production traffic through a Web Application Firewall (WAF) to filter malicious nested array payload signatures.

Exploit

Fix

LPE

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07114
BIT-DRUPAL-2026-9082
CVE-2026-9082
DRUPAL-CORE-2026-004
GHSA-GHWC-95X2-682J

Affected Products

Drupal
Postgresql