PT-2026-42228 · Postgresql Global Development Group+1 · Postgresql+1
Anna Kalata
+15
·
Published
2026-05-20
·
Updated
2026-06-21
·
CVE-2026-9082
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Drupal core versions 8.9.0 through 10.4.9
Drupal core versions 10.5.0 through 10.5.9
Drupal core versions 10.6.0 through 10.6.8
Drupal core versions 11.0.0 through 11.1.9
Drupal core versions 11.2.0 through 11.2.11
Drupal core versions 11.3.0 through 11.3.9
Description
An unauthenticated SQL injection flaw exists in the database abstraction API of Drupal core, specifically within the PostgreSQL
EntityQuery condition handler. The issue occurs because attacker-controlled PHP associative array keys are concatenated directly into SQL identifiers without proper sanitization or escaping. This allows remote anonymous users to execute arbitrary SQL commands on sites using PostgreSQL databases. Successful exploitation can lead to full database access, exfiltration of sensitive data such as session tokens and password hashes, privilege escalation to Administrator, and potentially remote code execution (RCE) if database permissions are misconfigured (e.g., allowing COPY FROM PROGRAM).Real-world exploitation is active, with over 15,000 attack probes detected against approximately 6,000 sites across 65 countries, primarily targeting gaming and financial services. The vulnerability is triggered via crafted array keys in JSON:API URLs, specifically using the
filter[...][condition][value][malicious key] structure.Recommendations
Update to version 10.4.10 for versions 8.9.0 through 10.4.9.
Update to version 10.5.10 for versions 10.5.0 through 10.5.9.
Update to version 10.6.9 for versions 10.6.0 through 10.6.8.
Update to version 11.1.10 for versions 11.0.0 through 11.1.9.
Update to version 11.2.12 for versions 11.2.0 through 11.2.11.
Update to version 11.3.10 for versions 11.3.0 through 11.3.9.
Restrict user roles that have the ability to update Twig templates via Views or contributed modules.
As a temporary mitigation, route production traffic through a Web Application Firewall (WAF) to filter malicious nested array payload signatures.
Exploit
Fix
LPE
RCE
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Drupal
Postgresql