CVE-2026-9082: Unauthenticated SQL Injection in Drupal Core PostgreSQL Driver
Vulnerability ID: CVE-2026-9082
CVSS Score: 6.5
Published: 2026-05-20
Drupal Core contains a highly critical SQL injection vulnerability (CVE-2026-9082) within its Database Abstraction API. The flaw specifically affects installations using the PostgreSQL database backend, allowing unauthenticated attackers to execute arbitrary SQL commands via crafted array keys in filter parameters.
TL;DR
Unauthenticated SQL injection in Drupal Core's PostgreSQL driver allows full database compromise and potential remote code execution via crafted JSON:API or search queries.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-89
- Attack Vector: Network (Unauthenticated)
- CVSS v3.1 Score: 6.5
- Drupal Risk Score: 20/25 (Highly Critical)
- Exploit Status: PoC Available
- KEV Status: Not Listed
Affected Systems
- Drupal Core 8.9.x to 10.4.9 (with PostgreSQL)
- Drupal Core 10.5.0 to 10.5.9 (with PostgreSQL)
- Drupal Core 10.6.0 to 10.6.8 (with PostgreSQL)
- Drupal Core 11.0.0 to 11.1.9 (with PostgreSQL)
- Drupal Core 11.2.0 to 11.2.11 (with PostgreSQL)
- Drupal Core 11.3.0 to 11.3.9 (with PostgreSQL)
-
Drupal Core: 8.9.0 - 10.4.9 (Fixed in:
10.4.10) -
Drupal Core: 10.5.0 - 10.5.9 (Fixed in:
10.5.10) -
Drupal Core: 10.6.0 - 10.6.8 (Fixed in:
10.6.9) -
Drupal Core: 11.0.0 - 11.1.9 (Fixed in:
11.1.10) -
Drupal Core: 11.2.0 - 11.2.11 (Fixed in:
11.2.12) -
Drupal Core: 11.3.0 - 11.3.9 (Fixed in:
11.3.10)
Exploit Details
- GitHub (lysophavin18): Proof of Concept repository detailing exploitation techniques
- GitHub (HORKimhab): Additional public Proof of Concept repository
Mitigation Strategies
- Apply official Drupal Core security patches immediately
- Revoke PostgreSQL SUPERUSER privileges from the Drupal database user
- Deploy WAF rules to filter PostgreSQL-specific syntax from incoming requests
Remediation Steps:
- Identify the current Drupal Core version via the Composer lockfile
- Run
composer update drupal/core drupal/core-recommendedto install the patched release - Verify the PostgreSQL database user permissions using
\duin the psql console - Configure SIEM and WAF to monitor for
pg_sleepandCOPY FROM PROGRAMpatterns
References
- Official Drupal Advisory (SA-CORE-2026-004)
- CVE-2026-9082 at CVE.org
- NVD Record
- GitHub PoC Repository (lysophavin18)
- GitHub PoC Repository (HORKimhab)
Read the full report for CVE-2026-9082 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)