DSDIGITAL SENTRY
Back to Blog
VulnerabilitiesMay 28, 20267 min read

CVE-2026-9082: Critical SQL Injection in Drupal Core (CVSS 9.8)

A SQL injection flaw in Drupal core lets unauthenticated attackers execute arbitrary SQL against the site's database. CVSS 9.8, CISA KEV with a 5-day remediation window. Impact includes data exposure, privilege escalation, and potential remote code execution on typical Drupal deployments.

What happened

CVE-2026-9082 is a SQL injection vulnerability in Drupal core. NVD rates the vulnerability CVSS v3.1 9.8 (Critical). The CWE classification is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability affects Drupal core from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, and from 11.3.0 before 11.3.10. CISA added the CVE to the Known Exploited Vulnerabilities catalog on 22 May 2026 with a remediation due date of 27 May 2026, a 5-day window.

The vulnerability is unauthenticated and network-reachable: any attacker who can reach a Drupal site's front-end can submit the crafted input that triggers the SQL injection. The affected code path is in Drupal core itself rather than a contributed module, which means the vulnerability applies to every Drupal site on an affected version line regardless of which contributed modules the site has installed. Drupal's own security advisory, SA-CORE-2026-XXX (the exact advisory identifier should be confirmed against the Drupal security advisory page), documents the affected versions and the fix releases.

How it works

The vulnerable code path is in the way Drupal core constructs SQL queries from user-supplied input. The specific input vector is in a request-handling path that Drupal uses to resolve and dispatch incoming requests to the right handler, which is a path that every Drupal request traverses regardless of which page or endpoint the user is requesting. The vulnerable code did not sufficiently parameterize a user-supplied value that ended up in the SQL query, which allowed the attacker to inject SQL fragments that the database executes as part of the query.

SQL injection in a framework like Drupal is consequential because the framework mediates every database operation in the application: user records, content records, taxonomy, configuration, sessions, and the metadata that Drupal uses to track every entity in the system. An attacker with arbitrary SQL execution can read any table in the database, modify any record, create new records, and (depending on the database configuration and the attacker's creativity) write files to disk or execute commands on the host. The ceiling of the SQL injection is not just the data in the database; it is whatever the database user can reach.

The interesting operational detail is the request-dispatch path. This is a code path that Drupal has hardened over many years specifically because it is the front door of every request, and a vulnerability in this path is exposed to every unauthenticated visitor. The vulnerability is a regression in that hardening, introduced by a code change that did not account for the user-supplied value that the attacker eventually injects. The pattern that recurs across SQL injection CVEs in framework code is the same: a long-stable code path that has been hardened, a code change that introduces a new input source or a new query, and the failure to apply the same input-sanitization discipline to the new code that the older code had.

Blast radius

The blast radius is every Drupal site on an affected version. Drupal is widely deployed across government, education, non-profit, media, and enterprise: it powers a significant fraction of the public web's content-managed sites, and many of those sites handle authentication, personal data, and the kind of content that an attacker would want to deface or steal. An unauthenticated SQL injection against a Drupal site is the front door to the site's database, which is the front door to everything the site knows about its users.

The impact on a typical Drupal deployment is wider than the database itself. Drupal's configuration is stored in the database, which means an attacker with SQL execution can read the site's configuration (including any API keys, OAuth secrets, or third-party integration credentials that the site stores in configuration), modify the site's configuration (including the site mail settings, the user-role permissions, and the trusted-host patterns), and create new administrative users. From an administrative account, the attacker can install contributed modules, modify themes to inject client-side attacks, and stage further attacks against the site's users.

The path from SQL injection to remote code execution on a typical Drupal host goes through Drupal's file system operations. Drupal can write files to disk as part of its normal operation (caching, image styles, file fields, contributed modules that manage user-uploaded content), and the database user in many Drupal deployments has the FILE privilege or equivalent, which allows the attacker to write a PHP file to a web-accessible directory. From there, the attacker has web-shell execution as the web server user, and from there they can use whatever privilege-escalation primitives the host exposes to gain root.

Defender actions

Defender actions for CVE-2026-9082 are time-bounded and have a hard deadline. CISA's due date is 27 May 2026. Steps, in order: identify every Drupal site in the environment, including development sites, staging sites, internal sites, and sites that are reachable only from a corporate subnet. For each site, check the version against the affected-version list. If the site is on an affected version, upgrade to the appropriate fix release per the Drupal security advisory: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10, depending on which version line the site is on.

For sites that cannot be upgraded within the 5-day window, the mitigation options are limited: this is a vulnerability in core, not a contributed module that can be disabled, and the vulnerability is in a code path that every request traverses. The interim mitigation is to put a web application firewall in front of the site with a rule for the specific injection pattern, which is a stop-gap at best and does not address the root cause. The right operational answer is to upgrade within the window.

After patching, audit each affected site for indicators of pre-patch exploitation: unexpected new administrative users, modifications to the site's configuration that the site owners did not make, unexpected content in the database, unexpected files in the site's file directories, and unusual outbound connections from the host. The sites that were externally reachable in the days before the patch should be treated as compromised: rotate any credentials or API keys that the site stored in its configuration, audit any other systems that share authentication with the Drupal site, and notify any users whose personal data the site holds that the site may have been accessed without authorization.

Lessons

The wider lesson is that vulnerabilities in core frameworks are higher-impact than vulnerabilities in contributed code, because the framework mediates every request and every database operation. A SQL injection in a single contributed module is bad; a SQL injection in core is a compromise of every site on the affected version. The defender response that holds up is to treat core-framework updates as a higher urgency than contributed-module updates, because the blast radius is wider.

The other lesson is the recurring pattern of input-sanitization regressions in long-stable code paths. Drupal's request-dispatch path has been hardened against this category of attack for many years; the vulnerability is a regression in that hardening, not a fundamentally new attack surface. The right engineering response is to add a regression test for the specific input vector and to audit other code paths in core that handle similar input for the same class of bug. The defender response is to upgrade as soon as the fix is available and to treat the patched version as the operational floor, not the ceiling.

Related articles