Drupal has pushed emergency security updates for a highly critical SQL injection vulnerability in its core database abstraction layer — the kind of flaw that lets an unauthenticated attacker walk straight into your database without needing a username or password.
The vulnerability, tracked as CVE-2026-9082 and disclosed under advisory SA-CORE-2026-004, scores 20 out of 25 on Drupal's risk scale. That "Highly Critical" rating isn't an exaggeration: the scoring breakdown shows zero access complexity, no authentication required, and full confidentiality and integrity impact — meaning an attacker can read everything and modify anything.
What's broken and why
Drupal's database abstraction API is supposed to act as a safety net — a layer between PHP code and the database that automatically sanitizes queries to block injection attacks. But a flaw in this API allows specially crafted HTTP requests to slip past that sanitization entirely, enabling arbitrary SQL to execute directly against the database.
The vulnerability only affects sites running PostgreSQL databases, not MySQL or MariaDB backends. That's a narrowing factor, but PostgreSQL is common among enterprise Drupal deployments — government portals, university sites, and large media organizations frequently run it for performance and compliance reasons.
The consequences of successful exploitation range from data exfiltration (leaking user records, private content, credentials) to privilege escalation and, in some configurations, remote code execution — full server takeover.
Broader blast radius: Symfony and Twig
The patches do more than fix the SQL injection. The releases for all supported branches also bundle upstream security updates for Symfony and Twig, two PHP libraries that Drupal depends on heavily.
Drupal's advisory explicitly warns that depending on your site's configuration and installed modules, you may be independently vulnerable to those upstream issues — even if PostgreSQL isn't in the picture. All sites should update regardless.
The advisory specifically recommends reviewing which user roles have the ability to update Twig templates, for example through Views or contributed modules — a Twig template injection path could compound the risk significantly.
Who is affected and what to do
Every supported Drupal branch is in scope: Drupal 10.4 through 11.3. The Drupal Security Team went further and issued best-effort patches for end-of-life Drupal 8 and 9 installations, acknowledging the severity warrants the exception — though those patches come without guarantees and those sites remain exposed to prior unpatched vulnerabilities.
Patched versions are:
- Drupal 11: 11.3.10, 11.2.12, 11.1.10
- Drupal 10: 10.6.9, 10.5.10, 10.4.10
Sites using Drupal Steward (Drupal's WAF-based protection service) are already shielded from known attack vectors, but should still upgrade promptly in case additional exploitation paths surface.
Two days before release, the Drupal Security Team issued an advance public notice — rare, and a signal of how seriously they treated this. The team explicitly warned that "exploits might be developed within hours or days" of the advisory going public, urging administrators to reserve time the same day patches dropped.
If your Drupal site runs PostgreSQL and hasn't been updated yet, that window is closing fast. Update now.