Executive Summary

A highly critical vulnerability (CVE-2026-9082, Drupal risk score 20/25) was disclosed affecting Drupal core versions 8.9.0 through 11.3.9, allowing attackers to execute arbitrary SQL commands via the database abstraction API on PostgreSQL-backed sites. Due to the potential for full data exposure, privilege escalation, and remote code execution, immediate patching is required.

About the Vulnerability: CVE-2026-9082

The issue originates from Drupal core’s database abstraction API, a component designed to sanitize database queries and prevent SQL injection attacks. A flaw in the query sanitization logic leads to insufficient input validation when processing specially crafted requests against PostgreSQL databases. By sending these specially crafted requests, attackers can execute arbitrary SQL statements against the underlying database, potentially extracting all stored data, modifying or deleting records, escalating privileges to administrator level, and in some configurations achieving remote code execution. No authentication is required to exploit this issue, meaning anonymous internet users can attack vulnerable sites directly.

The following Drupal core versions are affected:

  • Drupal 8.9.0 through 10.4.9
  • Drupal 10.5.0 through 10.5.9
  • Drupal 10.6.0 through 10.6.8
  • Drupal 11.0.0 through 11.1.9
  • Drupal 11.2.0 through 11.2.11
  • Drupal 11.3.0 through 11.3.9

Only sites using PostgreSQL as their database backend are affected by the SQL injection vulnerability. Drupal 7 is not affected. However, the security releases also include upstream patches for Symfony and Twig dependencies that address separate vulnerabilities, making the update recommended for all Drupal sites regardless of database backend.

Risk Impact

At the time of writing, no proof-of-concept exploit has been publicly disclosed, and no active exploitation in the wild has been reported. However, the Drupal Security Team explicitly warned that exploits could be developed within hours or days of the advisory publication. Given the zero authentication requirement, the full impact on data confidentiality and integrity, and the widespread deployment of Drupal across hundreds of thousands of websites, this vulnerability represents an exceptionally high risk for internet-facing PostgreSQL-backed deployments. Organizations should treat this as an emergency patching priority.

Successful exploitation could allow attackers to extract sensitive data including user credentials and personal information, modify or delete site content and configuration, escalate privileges to gain full administrative control, and potentially achieve remote code execution on the underlying server, leading to service disruption, data exposure, or full infrastructure compromise.

Mitigation Recommendations

Users should upgrade to the following patched versions immediately:

  • Drupal 11.3.10
  • Drupal 11.2.12
  • Drupal 11.1.10
  • Drupal 10.6.9
  • Drupal 10.5.10
  • Drupal 10.4.10

The Drupal Security Team also issued best-effort patches for end-of-life Drupal 8.9 and 9.5 installations, acknowledging the severity warrants the exception. Sites running MySQL or MariaDB are not vulnerable to the SQL injection itself but should still upgrade to receive the Symfony and Twig security fixes.

How can Orca help?

Orca enables customers to quickly identify assets running vulnerable Drupal versions, understand their exposure in context, including internet accessibility, runtime reachability, and asset criticality and prioritize remediation based on real risk rather than CVSS alone. Orca’s platform highlights affected assets directly in the newItem view, helping security teams focus on the most critical remediation paths first.