- May 20, 2026
Critical Vulnerability Disclosed in Drupal Core (CVE-2026-9082)
Update May 20th, 2026: Drupal recently updated their security advisory with additional technical details and an official CVE to reference a critical vulnerability in Drupal Core. Tracked as CVE-2026-9082, the flaw is due to an SQL injection vulnerability that can be reached through Drupal Core’s database extraction API and only affects deployments using PostgreSQL databases.
Executive Summary
Update May 20th, 2026: Drupal recently updated their security advisory with additional technical details and an official CVE to reference a critical vulnerability in Drupal Core. Tracked as CVE-2026-9082, the flaw is due to an SQL injection vulnerability that can be reached through Drupal Core’s database extraction API and only affects deployments using PostgreSQL databases.
Successful exploitation of the flaw can lead to sensitive information disclosure, privilege escalation, and up to remote code execution on certain configurations. Relevant sections of this advisory have been updated accordingly.
While the critical SQL injection vulnerability itself is limited to PostgreSQL-backend environments, the released updates include additional upstream security fixes and Drupal recommends applying across all deployment types.
On May 18th, the Drupal Security team disclosed a highly critical vulnerability currently tracked by the vendor as PSA-2026-05-18, affecting supported branches of Drupal core.
The flaw requires no authentication or special access conditions to exploit, allowing unauthenticated attackers with network access to potential to weaponize exploits on affected installations. End of support versions of Drupal Core 8 and 9 have been provided emergency patches due to the severity of this flaw, however, must be applied manually. Please see the Affected Systems and Products section of this advisory for more information.
Drupal security teams believe that exploits have potential to be developed within hours or days of disclosure. Given the critical severity of this vulnerability and the potential for exploitation, Beazley Security strongly recommends all organizations running affected versions patch immediately.
Affected Systems or Products
Affected Versions | Fixed / Patch Available |
Drupal Core 11.3.x | Drupal 11.3.10 |
Drupal Core 11.2.x | Drupal 11.2.12 |
Drupal Core 11.1.x, 11.0.x | Drupal 11.1.10 |
Drupal Core 10.6.x | Drupal 10.6.9 |
Drupal Core 10.5.x | Drupal 10.5.10 |
Drupal Core 10.4.x or earlier | Drupal 10.4.10 |
Drupal Core 9.5.x | |
Drupal Core 8.9.x | |
Drupal Core 7.x | Not affected |
Note: Major versions of Drupal 8 and 9 are considered end of life by the vendor and official branch releases will not be created. However given the severity of the issue, the vendor is providing emergency patches for Drupal 8.9 and 9.5 that must be applied manually. The vendor also advises they are not guaranteed to work correctly. Upgrading to supported versions is strongly encouraged.
Mitigations / Workarounds
Given advanced disclosure and criticality of this vulnerability, patching is strongly encouraged. Drupal has released emergency patches to remediate the flaws in Drupal Core, please see the “patches” section for more information.
If patching cannot be immediately applied, the following mitigations may temporarily reduce the risk of exposure:
Sites running Drupal Steward have received advanced signature protection against known attack vectors from Drupal, however Steward customers are strongly encouraged to still apply upstream patching in event additional exploit methods are identified post publication.
If possible, restrict public network access or consider temporarily isolation of affected Drupal Core implementations until patches can be applied
Patches
Updated branches have been made available by Drupal’s security team for supported versions as indicated in the “Affected Systems and Products” table above. Releases for Drupal core can be found from their official releases site. Vulnerability updates for Drupal products are available at drupal.org/security.
Technical Details
As of May 20th, Drupal released additional technical details and publicly assigned CVE-2026-9082 to this flaw. The vulnerability exists within Drupal Core’s database abstraction API, which functionality exists to prevent direct database access and sanitize queries.
According to the updated advisory, a remote, unauthenticated attacker can send specially crafted requests to the API endpoint that could result in arbitrary SQL injection against affected PostgreSQL-backed deployments. Successful exploitation allows attackers to dump sensitive database information, and depending on configuration, achieve privilege escalation up to remote code execution.
While CVE-2026-9082 only affects Drupal systems using PostgreSQL, the company noted that there are other fixes in this security update that fix flaws that were found in related software products Symfony and Twig. If affected organizations do not use PostgreSQL but use either of these modules, they should still apply the provided updates.
Prior to official disclosure Drupal security teams warned that exploit development could occur rapidly following public release of the technical details, signaling the vulnerability may be trivial to exploit. Given the critical severity of this vulnerability and enhanced potential for exploitation, Beazley Security expects attackers will soon weaponize the flaw and recommend affected organizations patch immediately.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.