Drupal published security advisory SA-CORE-2026-004 on May 20, 2026, disclosing CVE-2026-9082, a highly critical SQL injection vulnerability in the Drupal core database abstraction API. The flaw affects sites running Drupal 8.9.0 and later through the current 11.3.9 release, but only on PostgreSQL-backed deployments. MySQL and MariaDB installations are not affected. Drupal rates the vulnerability as highly critical, the highest tier in its severity framework, because it can be exploited without authentication.
The mechanics are straightforward. An attacker sends a specially crafted HTTP request to a vulnerable site. The database abstraction layer fails to properly sanitise the input before constructing a SQL query, allowing arbitrary SQL to execute against the PostgreSQL database. Depending on the database user permissions and server configuration, exploitation can result in information disclosure, privilege escalation to administrator-level site access, or remote code execution. Researchers at Orca Security have confirmed that sites where PostgreSQL is running as a privileged user face the highest RCE risk.
The speed of active exploitation has been unusually fast even by modern standards. Imperva reported observing over 15,000 exploitation attempts targeting nearly 6,000 sites across 65 countries within the first two days after the advisory went public. The attacks are automated and scanning broadly, not targeting specific organisations. That scale and speed means that sites still running unpatched versions are not waiting in a queue behind larger targets; they are already receiving requests.
Patched versions are available for all currently supported release lines. Sites on Drupal 10.4 should upgrade to 10.4.11, Drupal 10.5 to 10.5.11, Drupal 10.6 to 10.6.10, Drupal 11.1 to 11.1.11, Drupal 11.2 to 11.2.13, and Drupal 11.3 to 11.3.10. Drupal 8.9 and earlier are no longer receiving security coverage; sites on those versions should treat the situation as urgent and consider both the patch and a platform upgrade simultaneously.
For organisations that cannot patch immediately, the most effective interim mitigation is to block requests at the web application firewall or reverse proxy layer that contain patterns consistent with PostgreSQL-specific injection strings. Some WAF vendors have published signatures targeting CVE-2026-9082 since the day of disclosure.
Beyond the immediate patch, this vulnerability illustrates a pattern worth addressing systematically. Drupal is widely used across government, higher education, healthcare, and media. Many of those deployments are managed by teams who do not have a structured process for monitoring and acting on Drupal security advisories within hours of publication. The gap between disclosure and exploitation is now measured in hours, not weeks. A patching cadence designed around monthly maintenance windows is no longer adequate for critical-rated vulnerabilities in internet-facing CMS platforms.
If your organisation runs Drupal and you want help assessing your exposure, accelerating the patch deployment, or implementing web application firewall coverage as an interim control, contact Excello Digital. We can review your Drupal configuration, PostgreSQL permissions, and update processes to reduce the window between disclosure and protection.