Drupal Releases SA-CORE-2026-004 Fixing Critical Database Injection Vulnerability

Unusual support coverage expands emergency mitigation beyond Drupal’s normal security maintenance boundaries
Hero graphic for a Drupal security advisory story featuring the PostgreSQL elephant logo beside a headline about an emergency Drupal core fix for a highly critical injection vulnerability affecting PostgreSQL-backed sites.

Security updates released by the Drupal Security Team on 20 May 2026 confirm that the highly critical issue previewed in yesterday’s advance advisory is an anonymous SQL injection vulnerability affecting Drupal sites that use PostgreSQL databases.

The published advisory, identified as SA-CORE-2026-004 and tracked as CVE-2026-9082, describes a flaw in Drupal core’s database abstraction API. According to the advisory, specially crafted requests can trigger arbitrary SQL injection on affected PostgreSQL-backed installations. The Security Team warned that successful exploitation could lead to information disclosure and, in some cases, privilege escalation, remote code execution, or additional attacks.

Yesterday’s advance coverage correctly anticipated that the vulnerability would require no authentication and that the Security Team would extend mitigation support beyond normally supported branches. The newly published advisory confirms both conditions. The vulnerability is rated “Highly critical” with a score of 20 out of 25 under Drupal’s security risk model and carries “AC:None” and “A:None” classifications, indicating that exploitation does not require privileged access or prior authentication.

The disclosure also clarifies an important detail that had remained embargoed during the advance warning period: the SQL injection flaw only affects sites using PostgreSQL databases. That limitation explains the advisory’s “Uncommon” target distribution rating referenced in the earlier PSA. However, the release packages coordinated upstream security updates for Symfony and Twig, and the Drupal Security Team recommends updating all supported Drupal installations regardless of database backend.

The advisory further validates yesterday’s reporting that the release window would include uncommon support measures for unsupported branches. Official updates have been issued for active core branches, while best-effort fixes and patches have also been provided for several unsupported minor and major releases because of the issue’s severity.

Administrators running currently supported branches of Drupal core are instructed to update immediately to the following versions:

  • Drupal 11.3.x sites must update to Drupal 11.3.10
  • Drupal 11.2.x sites must update to Drupal 11.2.12
  • Drupal 10.6.x sites must update to Drupal 10.6.9
  • Drupal 10.5.x sites must update to Drupal 10.5.10

In an uncommon support measure, target fixes have also been provided for end-of-life minor branches that do not normally receive regular security coverage. Deployments on these versions should upgrade immediately to the following mitigation releases:

  • Drupal 11.1.x or 11.0.x environments to Drupal 11.1.10
  • Drupal 10.4.x or earlier environments to Drupal 10.4.10

For end-of-life major versions, Drupal 9 and Drupal 8.9 sites are being offered manual patch files on a best-effort basis. The Security Team cautioned that these unsupported releases continue to contain previously disclosed vulnerabilities and do not receive ongoing security coverage outside this emergency response.

The coordinated upstream disclosures also broaden the scope of the release beyond the PostgreSQL-specific SQL injection issue. According to the advisory, some Drupal deployments may be affected by additional Symfony and Twig vulnerabilities depending on local configuration and contributed modules. Administrators were advised to review permissions related to Twig template modification, including configurations exposed through Views or contributed modules.

Yesterday’s PSA coverage also referenced mitigation availability through Drupal Steward. The released advisory maintains that position, stating that Drupal Steward users receive immediate protection against known variations of the attack vector. However, the Security Team reiterated that web application firewall coverage is not a substitute for applying the core update locally.

The vulnerability was reported by Michael Maturi and fixed through a coordinated effort involving members of the Drupal Security Team and core contributors, including Björn Brala, Benji Fisher, catch, Lee Rowlands, Dave Long, Drew Webber, and Jess. The advisory was coordinated by multiple Drupal Security Team members including Anna Kalata, Damien McKenna, Greg Knaddison, Heine Deelstra, Neil Drumm, Pierre Rudloff, and Cathy Theys.

Disclosure: This content is produced with the assistance of AI.

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.

Related People

Upcoming Events