Critical Drupal SQL bug allows RCE on PostgreSQL sites

Drupal released security updates for CVE-2026-9082, an SQL-injection vulnerability in a database abstraction API used by Drupal Core. The flaw can let anonymous attackers inject arbitrary SQL on sites using PostgreSQL, which in some cases can lead to information disclosure, privilege escalation or remote code execution. CVE.org assigns the issue a CVSS score of 6.5 out of 10.

The vulnerability occurs in the API that validates and sanitizes queries before they reach the database. Specially crafted requests can bypass those checks for PostgreSQL databases and result in arbitrary SQL being executed when inputs are not properly constrained in that API path.

Only installations that use PostgreSQL are affected, and anonymous users can exploit the flaw. Drupal published patched releases for supported branches: Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10 and 10.4.10. Drupal 7 is not affected.

For versions no longer officially supported, manual patches are available for Drupal 9.5 and Drupal 8.9. The advisory notes older series such as Drupal 11.1.x, 11.0.x and 10.4.x and below are end-of-life and do not receive security coverage. Patches for unsupported releases are provided on a best-effort basis and those releases may still contain other previously disclosed vulnerabilities.

The updated releases for currently supported branches also include upstream security fixes for Symfony and Twig, and the advisory advises administrators to install the latest versions to receive those fixes.

Drupal’s disclosure does not report active exploitation of the vulnerability at the time of the advisory. Site operators running Drupal with PostgreSQL should review their installations and apply the published updates or available manual patches. Administrators running end-of-life branches were advised to plan upgrades to supported releases.