CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core’s database abstraction API, specifically in the PostgreSQL EntityQuery condition handler. An unauthenticated, remote attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable Drupal site running on PostgreSQL.
Affected Versions
The vulnerability affects Drupal core versions 8.9.0 through 11.3.9. Drupal 7 is not affected. Only sites using PostgreSQL as their database backend are affected by the SQL injection vulnerability.
Fixed versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10.
Exploitation Mechanics
The vulnerability affects the PostgreSQL implementation of Drupal’s query building process. In affected code paths, specially crafted requests can cause attacker-controlled PHP array keys to influence certain SQL query conditions. This is different from a more typical SQL injection issue where an attacker injects malicious content into a parameter value — the issue relates to how parts of the query structure are assembled.
A flaw in the query sanitization logic leads to insufficient input validation when processing specially crafted requests against PostgreSQL databases. By sending these specially crafted requests, attackers can execute arbitrary SQL statements against the underlying database, potentially extracting all stored data, modifying or deleting records, escalating privileges to administrator level, and in some configurations achieving remote code execution.
Active Exploitation Status
The advisory for CVE-2026-9082 was updated on May 22, two days after the patch released, confirming active exploitation. Imperva observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries. Attacks are primarily targeting Gaming and Financial Services sites, collectively almost 50% of all attacks — suggesting attackers and scanners are primarily attempting to identify exposed Drupal sites running vulnerable PostgreSQL-backed configurations.
Attack Chain
An unauthenticated attacker exploits the SQL injection to gain unauthorized access, escalates privileges by manipulating database entries to grant administrative access, moves laterally within the network accessing other systems and databases, establishes a command and control channel for persistent access, and exfiltrates sensitive data to external servers.
Important Note on Scope
The security releases also include upstream patches for Symfony and Twig dependencies that address separate vulnerabilities, making the update recommended for all Drupal sites regardless of database backend.
Remediation
Immediate patch to fixed versions. Drupal issued a public service announcement (PSA-2026-05-18) on May 18, warning administrators to prepare for a highly critical release and cautioning that exploitation could occur “within hours or days” of disclosure. That window has now closed — exploitation is active.
Priority remediation targets: any public-facing Drupal site on PostgreSQL — government, higher education, media, and enterprise deployments carry the highest blast radius.
