CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal's database abstraction API that affects multiple versions including Drupal 8.9.x, 10.4.x, 10.5.x, 10.6.x, and 11.x branches prior to specific patch versions. The vulnerability allows unauthenticated attackers to inject arbitrary SQL commands on sites using PostgreSQL, potentially leading to remote code execution, privilege escalation, and data disclosure. The flaw was discovered by a Google/Mandiant researcher and publicly disclosed in May 2026. Drupal has issued security advisories and patches for affected versions, with confirmed exploitation attempts detected shortly after disclosure. Drupal rates the vulnerability as highly critical (internal score 23/25), while NIST assigns a medium severity CVSS score of 6.5. Users are advised to upgrade immediately to patched versions. Drupal 8 and 9 are end-of-life and only receive best-effort patches, posing additional risk.

The vulnerability allows unauthenticated remote attackers to perform SQL injection on Drupal sites using PostgreSQL, which can lead to unauthorized access, modification, or deletion of database data. This can escalate to remote code execution and privilege escalation, severely compromising affected systems. Exploitation attempts have been observed in the wild, confirming active targeting of this flaw. The impact is critical for affected Drupal sites, especially those using PostgreSQL as their database backend.

Drupal has released official patches addressing CVE-2026-9082 for all affected supported versions. Website administrators must upgrade immediately to the latest patched versions for their Drupal branch. Even sites not using PostgreSQL should update, as the patches include fixes for other dependencies. Drupal 8 and 9 are end-of-life and receive only best-effort patches; continued use of these versions is risky. No alternative mitigations are indicated beyond applying the official updates promptly.