Fix Soon

CVE-2026-9082

SQL Injection in Drupal core
Loading...

Summary

Drupal core's PostgreSQL entity query handling lets attacker-controlled array keys become SQL placeholder names. An unauthenticated attacker can reach the bug through /user/login?_format=json or JSON:API filter requests on affected PostgreSQL-backed sites, turning crafted input into unsafe SQL. Successful exploitation can expose or modify data and may be chained into remote code execution; Drupal says exploit attempts are being detected in the wild.

Why Fix Soon?

5/6
No authentication required
Commonly internet-facing deployment
No user interaction needed
Not exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
SQLi (SQL Injection)
Is exploitable with default configuration?
No
Is authentication needed?
No
PoC / Exploit
Yes
Impact

Execute arbitrary SQL on the PostgreSQL backend, exposing or modifying data and potentially enabling remote code execution.

RCE (Remote Code Execution)
Exploitation Requirements
  • PostgreSQL database backend configured
Exploitation Process

An attacker sends a crafted request to a Drupal endpoint that feeds user-controlled data into an entity query, such as /user/login?_format=json or a JSON:API filter route. The payload uses an array value with a malicious key so Drupal copies that key into the PostgreSQL placeholder name during query construction. On vulnerable sites, PostgreSQL executes the malformed SQL or returns a distinctive database error, which can be used to confirm the flaw and, with iterative probes, read data through blind conditions.

Detection Resources
Manual Detection
2
Script Detection
1
Scanner Detection
1

Affected Software

Vendor:Drupal
ProductAffected Versions
Drupal core8.9.0 through 10.4.9, 10.5.0 through 10.5.9, 10.6.0 through 10.6.8, 11.0.0 through 11.1.9, 11.2.0 through 11.2.11, 11.3.0 through 11.3.9
Description

Drupal core is the open-source content management system used to build and run websites, portals, and web applications.

Deployment:Commonly internet-facing
|
Protocol:HTTPS
|
Ports:80, 443
Affected ComponentPostgreSQL-specific entity query condition translation in Drupal core's database abstraction layer, including array-valued filter handling.

PostgreSQL-specific entity query condition translation in Drupal core's database abstraction layer, including array-valued filter handling.

Affected Endpoints(2)/user/login?_format=json, /jsonapi/node/{bundle}…
1./user/login?_format=json
2./jsonapi/node/{bundle}
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Medium
Remediation
Workaround

Not available

Patch
For Drupal 9.5 or 8.9 installations, apply the manual patch linked from SA-CORE-2026-004; supported branches should upgrade to the fixed release instead.

For Drupal 9.5 or 8.9 installations, apply the manual patch linked from SA-CORE-2026-004; supported branches should upgrade to the fixed release instead.

www.drupal.org
Update
Upgrade Drupal core to 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10 depending on your branch; Drupal 9.5 and 8.9 require manual patches.

Upgrade Drupal core to 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10 depending on your branch; Drupal 9.5 and 8.9 require manual patches.

www.drupal.org
Threat Intelligence
EPSS Score12.6%

Probability of exploitation in the next 30 days

EPSS Percentile94%

Worse than 94% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
drupal.org
Threat Actors

No known threat actors

Detection Rules2
Other
Alert on Drupal JSON:API requests to /jsonapi/node/* with bracketed filter keys containing `||(`, quotes, or backticks, especially when the response is HTTP 500 or logs contain SQLSTATE[HY093].
Other
Alert on POST /user/login?_format=json requests that return HTTP 500 with SQLSTATE[HY093] or SQLSTATE[22012], or Drupal database exception text showing malformed placeholders.

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

CVSS Base Score

6.5
Medium

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-89 SQL Injection (SQLi)CWE-89 SQL Injection (SQLi)
||
Version From:
|
Version Upto: