Skip to content

Critical Drupal Vulnerability Endangers PostgreSQL Websites with RCE Attacks

To the point: Drupal releases critical security updates for CVE-2026-9082, a SQL injection vulnerability in the database API that endangers PostgreSQL websites. Updates are available for versions 10.4 and higher. End-of-life versions receive only manual patches.

Drupal has released security updates for a highly critical vulnerability in Drupal Core. The vulnerability, registered as CVE-2026-9082, could allow attackers to cause remote code execution, privilege escalation, or data leaks. With a CVSS score of 6.5, PostgreSQL databases are particularly affected.

The security vulnerability is located in a database API of Drupal Core, which normally validates requests and protects against SQL injection attacks. However, a vulnerability in this API allows attackers to send specially crafted requests that lead to arbitrary SQL injections on PostgreSQL-based websites. This can enable information disclosure, privilege escalation, remote code execution, and further attacks.

The vulnerability can be exploited by anonymous users and affects only websites with PostgreSQL databases. Drupal has provided corresponding updates for the following versions: Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. Drupal 7 is not affected.

The updates for supported versions (11.3, 11.2, 10.6, and 10.5) additionally contain security updates for Symfony and Twig, which is why installation of the latest versions is strongly recommended. For the end-of-life versions Drupal 8 and 9, Drupal provides manual patches, but only as a best-effort solution without further security support.

Share on: