The Drupal Security Team has released an emergency security advisory for a highly critical SQL injection vulnerability affecting Drupal core, tracked as CVE-2026-9082.

While the vulnerability specifically impacts Drupal sites running PostgreSQL databases, the advisory also includes important upstream security updates for Symfony and Twig that apply to all Drupal environments.

This is one of the more significant Drupal core advisories released in recent years and notably, the Drupal Security Team has provided best-effort patches for long end-of-life versions including Drupal 8.9 and Drupal 9 due to the severity of the issue.

What Is the Vulnerability?

Drupal core includes a database abstraction layer designed to ensure database queries are properly sanitised and protected against SQL injection attacks.

According to the advisory, a flaw within this abstraction API allows attackers to craft malicious requests capable of triggering arbitrary SQL injection on affected PostgreSQL-backed Drupal sites.

The vulnerability:

  • Can be exploited anonymously
  • Requires no authentication
  • May allow information disclosure
  • Could lead to privilege escalation
  • May enable remote code execution in certain scenarios

Drupal has classified the issue as “Highly Critical” with a severity score of 20/25.

Which Drupal Versions Are Affected?

The vulnerability affects the following Drupal core versions:

  • = 8.9.0 < 10.4.10

  • = 10.5.0 < 10.5.10

  • = 10.6.0 < 10.6.9

  • = 11.0.0 < 11.1.10

  • = 11.2.0 < 11.2.12

  • = 11.3.0 < 11.3.10

Importantly, the SQL injection component of the vulnerability only impacts sites using PostgreSQL databases.

However, the release also contains coordinated security updates for Symfony and Twig dependencies which may affect all Drupal environments depending on site configuration and installed contributed modules.

Why This Advisory Matters

There are several reasons this advisory deserves immediate attention from organisations running Drupal.

Anonymous Exploitation

The vulnerability can be exploited without authentication, significantly increasing risk exposure for internet-facing Drupal applications.

PostgreSQL-Specific, But Broader Security Implications

While the core SQL injection vulnerability only impacts PostgreSQL environments, the accompanying dependency updates include important upstream security fixes affecting the broader Drupal ecosystem.

Sites using Twig template editing functionality, Views configuration, or contributed modules exposing template management capabilities should review user permissions carefully.

Unsupported Versions Received Patches

Drupal normally does not provide patches for unsupported releases. The decision to provide best-effort fixes for Drupal 8.9 and Drupal 9 highlights the seriousness of the vulnerability.

However, organisations should understand these unsupported versions remain exposed to numerous previously disclosed vulnerabilities and should not be considered secure long-term.

Recommended Actions

1. Update Immediately

Drupal has released patched versions for supported branches:

Drupal 11

  • Update Drupal 11.3.x to 11.3.10
  • Update Drupal 11.2.x to 11.2.12
  • Update Drupal 11.1.x or 11.0.x to 11.1.10

Drupal 10

  • Update Drupal 10.6.x to 10.6.9
  • Update Drupal 10.5.x to 10.5.10
  • Update Drupal 10.4.x or earlier to 10.4.10

Drupal 9 and 8

Drupal has provided manual patches for:

  • Drupal 9.5
  • Drupal 8.9

These are provided on a best-effort basis only.

2. Review Database Infrastructure

Organisations should confirm whether affected Drupal environments utilise PostgreSQL databases and prioritise remediation accordingly.

3. Review Twig Template Permissions

The advisory specifically recommends reviewing which user roles have the ability to modify Twig templates, particularly through:

  • Views
  • Layout Builder
  • Contributed modules
  • Custom administrative tooling

4. Validate Contributed Modules and Custom Code

Security updates affecting Symfony and Twig dependencies may introduce compatibility considerations for custom implementations and contributed modules.

Testing should be prioritised before production deployment where possible.

A Reminder About Lifecycle Management

This advisory also reinforces a broader operational lesson for organisations running Drupal at scale: platform lifecycle management matters.

Several affected versions are already end-of-life and no longer receive official security support. While emergency patches have been provided in this case, organisations relying on unsupported Drupal versions are operating with elevated ongoing risk.

Security posture is no longer just about infrastructure. Application lifecycle governance, dependency management, and proactive upgrade planning are now essential parts of enterprise risk management.

SA-CORE-2026-004 is a strong reminder that modern CMS platforms remain part of an organisation’s active attack surface.

Even where direct exposure may be limited, coordinated upstream dependency vulnerabilities can still create broader operational and security risks.

For organisations running Drupal, now is the time to:

  • Validate affected environments
  • Apply updates urgently
  • Review platform support status
  • Reassess long-term upgrade and security strategies

Get our latest news
and insights delivered
to your inbox___

Contact Newpath Team Today
Back to top