www.it-connect.fr
Drupal Warns of Critical SQL Injection Flaw: CVE-2026-9082
Are you using the Drupal CMS for your website? Then take a moment to patch a critical security flaw that appears to be especially worrying the development team. Here’s what we know about this threat.
A high risk of exploitation for this vulnerability
On May 18, 2026, Drupal published a security bulletin to warn everyone, essentially saying: you need to block out a time slot on May 20 between 17:00 and 21:00 UTC to deploy this essential update. That is explicitly stated in their message. And even though that window has now passed, you should still act if you have not updated yet.
Drupal is taking this approach because there is a strong likelihood that cybercriminals will develop exploits very quickly after this new update is released.
This vulnerability, now identified as CVE-2026-9082, affects the Drupal CMS Core. A second security bulletin was published on May 20, 2026 to explain this vulnerability in more detail, and after reading it, I can better understand why the Drupal team is concerned.
This is an SQL injection security flaw that can be exploited anonymously, meaning by anyone capable of interacting with a Drupal site. It is located in the API used by Drupal and stems from a defect in the protection mechanism against these famous SQL injections.
"Drupal Core includes a database abstraction API intended to ensure that queries executed against the database are validated to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted queries, resulting in arbitrary SQL injection on sites using PostgreSQL databases.", the security bulletin states:
Exploiting this vulnerability can lead as far as compromising the Drupal site.
Drupal: protecting yourself against CVE-2026-9082
Many Drupal versions are affected, including versions that are still supported by the development team. In fact, CVE-2026-9082 affects Drupal 8 and all later versions. Drupal 7, however, is unaffected.
Security fixes will be applied across several branches of the CMS. Here are the versions for which specific updates will be available:
| Branch | Version with the fix |
| Drupal 11.3.x | Drupal 11.3.10 |
| Drupal 11.2.x | Drupal 11.2.12 |
| Drupal 11.1.x or 11.0.x | Drupal 11.1.10 |
| Drupal 10.6.x | Drupal 10.6.9 |
| Drupal 10.5.x | Drupal 10.5.10 |
| Drupal 10.4.x or earlier | Drupal 10.4.10 |
| Any Drupal 9 version | Apply the patch for Drupal 9.5 manually |
| Drupal 8.9 | Apply the patch for Drupal 8.9 manually |
Notably, although the 11.1.x and 10.4.x branches are no longer officially supported, the Drupal team made an exception by providing patches given the severity of the situation. For versions 8 and 9, which have already reached end of life, no out-of-the-box fix is offered. But as shown in the table above, “hotfix”-style files are exceptionally being made available.
