Sonstige Informationen und Dienstleistungen der Regierung: www.belgium.be Centre for Cybersecurity Belgium

Warning: Drupal Core is affected by a Critical SQL Injection Vulnerability, Patch Immediately!

Image
Decorative image
Veröffentlicht : 21/05/2026
  • Last update: 21/05/2026
  • Affected software:
    → Drupal 8.9.x and later versions
  • Type: SQL Injection
  • CVE/CVSS
    → CVE-2026-9082: CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Sources

Drupal - https://www.drupal.org/psa-2026-05-18
GitHub - https://github.com/lysophavin18/cve-2026-9082

Risks

CVE-2026-9082 is an SQL injection vulnerability in Drupal core. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted request to affected Drupal site running on PostgreSQL. Successful exploitation may result in information disclosure, data tampering or deletion, and in some cases privilege escalation or remote code execution.

No exploitation has been observed in the wild. However, a proof-of-concept (PoC) exploit is available.

Description

CVE-2026-9082  is an SQL injection vulnerability affecting Drupal 8 and all later versions. Drupal rates it Highly Critical (20/25) with potential for full data exposure and modification, while NVD assigns a lower CVSS 6.5 score.

This vulnerability exists in Drupal core’s database abstraction API, specifically in the PostgreSQL EntityQuery condition handler. Exploitation of this vulnerability could allow an unauthenticated remote attacker to send specially crafted requests resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and, in some cases, privilege escalation, remote code execution (RCE), or other attacks.

Drupal has released fixed versions across all currently supported branches, as well as exceptional releases for two end-of-life branches due to the severity of this vulnerability.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

Tenable - https://www.tenable.com/blog/cve-2026-9082-highly-critical-sql-injection-vulnerability-in-drupal-core-sa-core-2026-004
CSO Online - https://www.csoonline.com/article/4175329/drupal-admins-rushing-to-patch-maximum-severity-sql-injection-vulnerability.html