Summary
Drupal core's PostgreSQL entity query handling lets attacker-controlled array keys become SQL placeholder names. An unauthenticated attacker can reach the bug through /user/login?_format=json or JSON:API filter requests on affected PostgreSQL-backed sites, turning crafted input into unsafe SQL. Successful exploitation can expose or modify data and may be chained into remote code execution; Drupal says exploit attempts are being detected in the wild.
Why Fix Soon?
5/6Exploitation Details
Execute arbitrary SQL on the PostgreSQL backend, exposing or modifying data and potentially enabling remote code execution.
RCE (Remote Code Execution)Affected Software
| Product | Affected Versions |
|---|---|
| Drupal core | 8.9.0 through 10.4.9, 10.5.0 through 10.5.9, 10.6.0 through 10.6.8, 11.0.0 through 11.1.9, 11.2.0 through 11.2.11, 11.3.0 through 11.3.9 |
Drupal core is the open-source content management system used to build and run websites, portals, and web applications.
Affected ComponentPostgreSQL-specific entity query condition translation in Drupal core's database abstraction layer, including array-valued filter handling.
PostgreSQL-specific entity query condition translation in Drupal core's database abstraction layer, including array-valued filter handling.
Affected Endpoints(2)/user/login?_format=json, /jsonapi/node/{bundle}…
Not available
For Drupal 9.5 or 8.9 installations, apply the manual patch linked from SA-CORE-2026-004; supported branches should upgrade to the fixed release instead.
For Drupal 9.5 or 8.9 installations, apply the manual patch linked from SA-CORE-2026-004; supported branches should upgrade to the fixed release instead.
Upgrade Drupal core to 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10 depending on your branch; Drupal 9.5 and 8.9 require manual patches.
Upgrade Drupal core to 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10 depending on your branch; Drupal 9.5 and 8.9 require manual patches.
Probability of exploitation in the next 30 days
Worse than 94% of all CVEs
No known threat actors
NVD Data
Description Summary
CVSS Base Score
CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Sources
| Source | Article |
|---|---|
| www.drupal.org | Drupal core - Highly critical - SQL injection - SA-CORE-2026-004 |
| www.drupal.org | drupal 11.3.10 release notes |
| nvd.nist.gov | CVE-2026-9082 Detail |
| www.cisa.gov | Known Exploited Vulnerabilities Catalog |
| www.tenable.com | CVE-2026-9082 |
| slcyber.io | Keys to the Kingdom: Anonymous SQL Injection in Drupal Core (CVE-2026-9082) |
| www.yeswehack.com | CVE-2026-9082: PostgreSQL-specific SQL injection in Drupal |
| www.akamai.com | CVE-2026-9082: Mitigating a Critical SQL Injection Vulnerability in Drupal |
| www.threatlevel.io | CVE-2026-9082 - SQL Injection in Drupal core |
| github.com | PoC for CVE-2026-9082 (Drupal SA-CORE-2026-004) Drupal Core SQLi |
Priority History
Initial analysis
Elevated — new exploitation evidence confirmed