CVE-2026-9082

Name of the Vulnerable Software and Affected Versions Drupal core versions 8.9.0 through 10.4.0 Drupal core versions 10.5.0 through 10.5.9 Drupal core versions 10.6.0 through 10.6.8 Drupal core versions 11.0.0 through 11.1.9 Drupal core versions 11.2.0 through 11.2.11 Drupal core versions 11.3.0 through 11.3.9

Description An SQL injection flaw exists in the database abstraction API of Drupal core, specifically affecting sites using PostgreSQL databases. This issue allows unauthenticated anonymous users to send specially crafted requests, such as through JSON:API filters, to bypass query sanitization and execute arbitrary SQL commands. Successful exploitation can lead to information disclosure, privilege escalation, and remote code execution. Real-world incidents have been reported where attackers exploited this flaw in the PostgreSQL API to gain administrative control and move laterally through connected systems.

Recommendations Update Drupal core versions 8.9.0 through 10.4.0 to version 10.4.10. Update Drupal core versions 10.5.0 through 10.5.9 to version 10.5.10. Update Drupal core versions 10.6.0 through 10.6.8 to version 10.6.9. Update Drupal core versions 11.0.0 through 11.1.9 to version 11.1.10. Update Drupal core versions 11.2.0 through 11.2.11 to version 11.2.12. Update Drupal core versions 11.3.0 through 11.3.9 to version 11.3.10. Route traffic through Drupal Steward or apply WAF mitigation rules if patching is not immediately possible.