May 21, 2026·5 min read·419 visits
Unauthenticated SQL injection in Drupal Core's PostgreSQL driver allows full database compromise and potential remote code execution via crafted JSON:API or search queries.
Drupal Core contains a highly critical SQL injection vulnerability (CVE-2026-9082) within its Database Abstraction API. The flaw specifically affects installations using the PostgreSQL database backend, allowing unauthenticated attackers to execute arbitrary SQL commands via crafted array keys in filter parameters.
CVE-2026-9082 is an unauthenticated SQL Injection (CWE-89) vulnerability residing within the core architecture of Drupal. It specifically affects installations utilizing the PostgreSQL database backend. Deployments running MySQL, MariaDB, and SQLite remain unaffected by this specific attack vector due to differences in database driver implementation and syntax handling.
The flaw originates in the Database Abstraction API, particularly in how the PostgreSQL driver processes structural query components. While Drupal reliably sanitizes parameter values using prepared statements, it relies on its internal query builder to handle field names, operators, and ordering clauses. This structural construction process fails to adequately validate input derived from array keys.
Attackers exploit this validation failure by passing crafted array keys within filter parameters via standard endpoints, such as JSON:API or Core Search. The system incorporates these keys into the final SQL string without sufficient neutralization. This allows malicious actors to break out of the intended query structure and append arbitrary PostgreSQL commands.
The root cause of CVE-2026-9082 is the improper neutralization of special elements within array keys processed by the PostgreSQL database driver. Drupal’s abstraction layer separates data values from SQL structures to prevent injection. However, filter conditions constructed via JSON:API or Entity Queries dynamically build query clauses based on user-supplied parameter keys.
When an attacker provides a crafted key, the validation logic fails to detect PostgreSQL-specific operators. Specifically, type casting operators (::), string concatenation operators (||), and dollar-quoting mechanisms bypass the standard alphanumeric filters intended for column identifiers. The driver assumes these keys represent legitimate, safe structural components.
Because the driver directly concatenates these unsanitized keys into the SQL statement, the injected characters alter the syntax tree of the resulting query. The database engine executes the concatenated string, processing the attacker's payload as legitimate SQL commands rather than literal identifiers. This failure sequence effectively negates the protections offered by the prepared statement implementation.
Exploitation requires no authentication and relies on sending crafted HTTP GET requests to specific Drupal endpoints. The primary attack surfaces include the JSON:API (/jsonapi/node/article), Core Search (/search/node), and Views AJAX (/views/ajax) endpoints. These routes natively accept complex, nested array parameters for filtering and sorting operations, providing an ideal injection conduit.
Attackers typically initiate the exploit using a time-based blind SQL injection technique. By injecting the pg_sleep() function into a search parameter, the attacker verifies the vulnerability based on the server's response time. Passing a payload such as keys=test';select pg_sleep(5)-- forces the database to pause execution, providing binary confirmation of the injection point.
If the database user configured in Drupal's settings.php possesses superuser privileges, the attack escalates to Remote Code Execution (RCE). The attacker leverages the PostgreSQL COPY FROM PROGRAM command. This instructs the database engine to execute a shell command on the underlying host operating system and pipe the output into a database table.
A conceptual payload for RCE involves closing the existing query context, executing a UNION SELECT to balance the statement, and chaining the COPY command. The payload test' UNION SELECT null,null; CREATE TABLE cmd_out(output TEXT); COPY cmd_out FROM PROGRAM 'id'; -- demonstrates this exact escalation path.
The vulnerability carries a Drupal Security Risk Score of 20 out of 25, classifying it as Highly Critical. This rating reflects the unauthenticated nature of the attack and the potential for complete database compromise. NVD assigned a CVSS v3.1 base score of 6.5, which measures the direct impacts of standard SQL injection without assuming the presence of a superuser database configuration.
Successful exploitation grants the attacker read and write access to the entire Drupal database. This access enables the exfiltration of sensitive user data, session tokens, and password hashes. Attackers use this access to modify database records, granting administrative privileges to standard user accounts or altering site content.
The impact extends directly to the underlying server infrastructure if the PostgreSQL service runs with elevated privileges. Execution of shell commands via COPY FROM PROGRAM provides a definitive foothold for lateral movement within the network. This highlights the critical importance of adhering to the principle of least privilege when configuring database service accounts.
The primary remediation for CVE-2026-9082 requires updating Drupal Core to a patched version. Administrators must apply version 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10 depending on their active deployment branch. Updates are executed via Composer using the composer update drupal/core drupal/core-recommended command to ensure strict dependency alignment.
As a crucial defense-in-depth measure, administrators must verify the permissions assigned to the PostgreSQL user account connecting to the Drupal database. Ensure this account is strictly prohibited from holding the SUPERUSER role. Restricting database privileges neutralizes the COPY FROM PROGRAM vector, preventing escalation from SQL injection to Remote Code Execution.
Security operations teams should deploy Web Application Firewall (WAF) rules and monitor logs for indicators of compromise. Detection strategies involve searching web access logs for PostgreSQL-specific syntax such as pg_sleep, ::text, and COPY FROM PROGRAM within request parameters. Implementing targeted Sigma rules provides a baseline for identifying these attack patterns in SIEM environments.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Drupal Core Drupal | 8.9.0 - 10.4.9 | 10.4.10 |
Drupal Core Drupal | 10.5.0 - 10.5.9 | 10.5.10 |
Drupal Core Drupal | 10.6.0 - 10.6.8 | 10.6.9 |
Drupal Core Drupal | 11.0.0 - 11.1.9 | 11.1.10 |
Drupal Core Drupal | 11.2.0 - 11.2.11 | 11.2.12 |
Drupal Core Drupal | 11.3.0 - 11.3.9 | 11.3.10 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-89 |
| Attack Vector | Network (Unauthenticated) |
| CVSS v3.1 Score | 6.5 |
| Drupal Risk Score | 20/25 (Highly Critical) |
| Exploit Status | PoC Available |
| KEV Status | Not Listed |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.
An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.
An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.
A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.
A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).
CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.