CVE-2026-9082: Unauthenticated SQL Injection in Drupal Core PostgreSQL Driver

CVE-2026-9082 is an unauthenticated SQL Injection (CWE-89) vulnerability residing within the core architecture of Drupal. It specifically affects installations utilizing the PostgreSQL database backend. Deployments running MySQL, MariaDB, and SQLite remain unaffected by this specific attack vector due to differences in database driver implementation and syntax handling.

The flaw originates in the Database Abstraction API, particularly in how the PostgreSQL driver processes structural query components. While Drupal reliably sanitizes parameter values using prepared statements, it relies on its internal query builder to handle field names, operators, and ordering clauses. This structural construction process fails to adequately validate input derived from array keys.

Attackers exploit this validation failure by passing crafted array keys within filter parameters via standard endpoints, such as JSON:API or Core Search. The system incorporates these keys into the final SQL string without sufficient neutralization. This allows malicious actors to break out of the intended query structure and append arbitrary PostgreSQL commands.

The root cause of CVE-2026-9082 is the improper neutralization of special elements within array keys processed by the PostgreSQL database driver. Drupal’s abstraction layer separates data values from SQL structures to prevent injection. However, filter conditions constructed via JSON:API or Entity Queries dynamically build query clauses based on user-supplied parameter keys.

When an attacker provides a crafted key, the validation logic fails to detect PostgreSQL-specific operators. Specifically, type casting operators (::), string concatenation operators (||), and dollar-quoting mechanisms bypass the standard alphanumeric filters intended for column identifiers. The driver assumes these keys represent legitimate, safe structural components.

Because the driver directly concatenates these unsanitized keys into the SQL statement, the injected characters alter the syntax tree of the resulting query. The database engine executes the concatenated string, processing the attacker's payload as legitimate SQL commands rather than literal identifiers. This failure sequence effectively negates the protections offered by the prepared statement implementation.

Exploitation requires no authentication and relies on sending crafted HTTP GET requests to specific Drupal endpoints. The primary attack surfaces include the JSON:API (/jsonapi/node/article), Core Search (/search/node), and Views AJAX (/views/ajax) endpoints. These routes natively accept complex, nested array parameters for filtering and sorting operations, providing an ideal injection conduit.

Attackers typically initiate the exploit using a time-based blind SQL injection technique. By injecting the pg_sleep() function into a search parameter, the attacker verifies the vulnerability based on the server's response time. Passing a payload such as keys=test';select pg_sleep(5)-- forces the database to pause execution, providing binary confirmation of the injection point.

If the database user configured in Drupal's settings.php possesses superuser privileges, the attack escalates to Remote Code Execution (RCE). The attacker leverages the PostgreSQL COPY FROM PROGRAM command. This instructs the database engine to execute a shell command on the underlying host operating system and pipe the output into a database table.

A conceptual payload for RCE involves closing the existing query context, executing a UNION SELECT to balance the statement, and chaining the COPY command. The payload test' UNION SELECT null,null; CREATE TABLE cmd_out(output TEXT); COPY cmd_out FROM PROGRAM 'id'; -- demonstrates this exact escalation path.

The vulnerability carries a Drupal Security Risk Score of 20 out of 25, classifying it as Highly Critical. This rating reflects the unauthenticated nature of the attack and the potential for complete database compromise. NVD assigned a CVSS v3.1 base score of 6.5, which measures the direct impacts of standard SQL injection without assuming the presence of a superuser database configuration.

Successful exploitation grants the attacker read and write access to the entire Drupal database. This access enables the exfiltration of sensitive user data, session tokens, and password hashes. Attackers use this access to modify database records, granting administrative privileges to standard user accounts or altering site content.

The impact extends directly to the underlying server infrastructure if the PostgreSQL service runs with elevated privileges. Execution of shell commands via COPY FROM PROGRAM provides a definitive foothold for lateral movement within the network. This highlights the critical importance of adhering to the principle of least privilege when configuring database service accounts.

The primary remediation for CVE-2026-9082 requires updating Drupal Core to a patched version. Administrators must apply version 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10 depending on their active deployment branch. Updates are executed via Composer using the composer update drupal/core drupal/core-recommended command to ensure strict dependency alignment.

As a crucial defense-in-depth measure, administrators must verify the permissions assigned to the PostgreSQL user account connecting to the Drupal database. Ensure this account is strictly prohibited from holding the SUPERUSER role. Restricting database privileges neutralizes the COPY FROM PROGRAM vector, preventing escalation from SQL injection to Remote Code Execution.

Security operations teams should deploy Web Application Firewall (WAF) rules and monitor logs for indicators of compromise. Detection strategies involve searching web access logs for PostgreSQL-specific syntax such as pg_sleep, ::text, and COPY FROM PROGRAM within request parameters. Implementing targeted Sigma rules provides a baseline for identifying these attack patterns in SIEM environments.