Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal has released urgent security updates to address a highly critical vulnerability that could allow attackers to execute malicious code, escalate privileges, or access sensitive information on affected websites.

The flaw, identified as CVE-2026-9082, impacts Drupal Core installations using PostgreSQL databases and has raised serious concerns across the cybersecurity community.

SQL Injection Flaw Creates Major Security Risk

According to Drupal’s security advisory, the vulnerability exists within a database abstraction API responsible for validating and sanitizing database queries against SQL injection attacks.

Security researchers warned that attackers could exploit the weakness by sending specially crafted requests to vulnerable systems.

If successfully exploited, the flaw could lead to:

• Arbitrary SQL injection
• Unauthorized access to sensitive data
• Privilege escalation
• Remote code execution (RCE)
• Full website compromise in severe cases

The issue reportedly affects sites using PostgreSQL as their database backend, while Drupal 7 installations are not impacted.

Anonymous Attackers Could Exploit Vulnerability

Drupal confirmed the flaw can be exploited remotely by anonymous users without authentication, significantly increasing the threat level for publicly accessible websites.

The vulnerability carries a CVSS severity score of 6.5, though experts warn the practical impact may be far more severe depending on server configuration and permissions.

Cybersecurity analysts say PostgreSQL-powered Drupal environments are especially vulnerable if administrators delay patching systems.

Security Updates Released for Supported Versions

Drupal has released patched versions to address the vulnerability across supported branches, including:

• Drupal 11.3.10
• Drupal 11.2.12
• Drupal 11.1.10
• Drupal 10.6.9
• Drupal 10.5.10
• Drupal 10.4.10

The updates also include upstream security fixes for Symfony and Twig components, making immediate upgrades highly recommended.

Unsupported Drupal Versions Receive Emergency Patches

Although Drupal 8 and Drupal 9 have reached end-of-life status, Drupal released manual emergency patches on a best-effort basis for:

• Drupal 9.5
• Drupal 8.9

The organization warned that unsupported versions may still contain previously disclosed vulnerabilities and no longer receive regular security coverage.

Drupal also reiterated that versions 11.0.x, 10.4.x, and older unsupported releases remain exposed to additional security risks.

Website Administrators Urged to Patch Immediately

Security experts are advising organizations, developers, and hosting providers running Drupal with PostgreSQL databases to update systems immediately.

The incident highlights the growing importance of rapid patch management as attackers increasingly target widely used content management systems and open-source platforms.

Cybersecurity teams are also being encouraged to review server logs, monitor for suspicious database activity, and restrict unnecessary database permissions to reduce the risk of exploitation.