Drupal core - Highly critical - SQL injection - SA-CORE-2026-004 | Drupal.org
Skip to main content<br>Skip to search
Can we use first and third party cookies and web beacons to understand our audience, and to tailor promotions you see?<br>Yes, pleaseNo, do not track me
Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
Project:<br>Drupal core
Date:<br>2026-May-20
Security risk:<br>Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability:<br>SQL injection
Affected versions:<br>>= 8.9.0 = 10.5.0 = 10.6.0 = 11.0.0 = 11.2.0 = 11.3.0 CVE IDs:<br>CVE-2026-9082
Description:<br>Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.
This vulnerability can be exploited by anonymous users.
This vulnerability only affects sites using PostgreSQL . However, the dependency updates in this release apply to all sites.
Upstream security advisories
The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.
Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not . It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.
Solution:<br>Install the latest version.
The following releases will be available as soon as automated release packaging is complete. You may receive a 404 in the interim. The updates may also be available on Packagist sooner.
Drupal 11
If you use Drupal 11.3.x, update to Drupal 11.3.10.
If you use Drupal 11.2.x, update to Drupal 11.2.12.
If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10.
Drupal 10
If you use Drupal 10.6.x, update to Drupal 10.6.9.
If you use Drupal 10.5.x, update to Drupal 10.5.10.
If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10.
Drupal 9 and 8
If you use any version of Drupal 9, try manually applying the Drupal 9.5 patch for this issue.
If you use Drupal 8.9, try manually applying the Drupal 8.9 patch for this issue.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.
Reported By:
Michael Maturi (michaelmaturi)
Fixed By:
Björn Brala (bbrala)
Benji Fisher (benjifisher) of the Drupal Security Team
catch (catch) of the Drupal Security Team
Lee Rowlands (larowlan) of the Drupal Security Team
Dave Long (longwave) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team
Coordinated By:
Anna Kalata (akalata) of the Drupal Security Team
Benji Fisher (benjifisher) of the Drupal Security Team
catch (catch) of the Drupal Security Team
Damien McKenna (damienmckenna) of the Drupal Security Team
Neil Drumm (drumm) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Heine Deelstra (heine) of the Drupal Security Team
Tim Hestenes Lehnen (hestenet)
Dave Long (longwave) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team
Cathy Theys (yesct) of the Drupal Security Team
Contribution record
Contact and more information
The Drupal security team can be reached by email at security at drupal.org or via the contact form.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.
Contributing organizations for this advisory
State of Georgia<br>The Michael J. Fox Foundation for Parkinson's Research<br>SWIS<br>Harvard Web Publishing<br>Third and Grove<br>PreviousNext<br>Full Fat Things<br>Zoocha<br>xjm<br>Drupal Association<br>Colorado Governor's Office of Information Technology - Colorado Digital Service<br>ActivIT s.r.o.<br>Insite<br>Lullabot<br>The security team is made up of volunteers around the world. The companies above have sponsored time on this release.
Infrastructure management...