CVE-2026-9082: If Your Website Runs Drupal on PostgreSQL, It's Leaking Data

#Drupal has a SQL injection in 2026. Anonymous. In core.

Not a contributed module. Not a third-party plugin. Drupal core. The database abstraction layer. The part that's supposed to make SQL injection impossible.

CVE-2026-9082 affects Drupal 8.0 and later running on PostgreSQL backends. The injection bypasses Drupal's parameterized query protections because it exploits something the parameterization doesn't cover: array keys in query parameters.

PHP's query-string parser preserves array keys from user input. Those keys flow through JSON:API and Views into the EntityQuery condition handler. On PostgreSQL (not MySQL), those keys reach the database unsanitized. No login required. Fully anonymous.

Drupal's own security team rated this "Highly Critical." CISA added it to the KEV catalog on May 22. Mass scanning was observed within days of the patch.

#What an attacker gets.

Through this injection, an anonymous visitor to your Drupal site can:

• Dump the entire database. User accounts, hashed passwords, email addresses, session tokens, content, configuration.
• Bypass authentication. Extract or create admin session tokens.
• Escalate to RCE in some configurations (through file writes, PHP serialization, or Drupal's built-in code execution features for admins).
• Access PII. If your Drupal site stores customer data, client records, or any personal information, it's all accessible.

And because this is a CMS, Drupal sites often hold exactly the kind of data that matters: user accounts, form submissions, e-commerce orders, membership data, content behind paywalls.

#Who's affected (and who's not).

Affected: Drupal 8.0+ on PostgreSQL backends, using JSON:API and/or Views (which is... almost every Drupal site that runs on PostgreSQL).

Not affected: Drupal on MySQL/MariaDB. The injection path is PostgreSQL-specific because of how the database driver handles unparameterized array keys differently.

If you don't know which database your Drupal site uses, find out today. Check your settings.php for the database driver configuration. Or ask whoever manages your hosting.

#What to do.

If you run Drupal on PostgreSQL:

1. Apply SA-CORE-2026-004 immediately. This is the official patch. Don't wait for your next maintenance window. Do it now.

1. If you can't patch right now, disable JSON:API and restrict Views-based endpoints as a temporary mitigation. This isn't a fix. It's a tourniquet. Patch as soon as possible.

1. Audit your database for compromise. Check the users_field_data table for accounts you didn't create. Check the sessions table for active sessions from unexpected IPs. Check watchdog logs for unusual query patterns.

1. Rotate admin credentials. Change every admin password. Invalidate all active sessions. If an attacker had time to access the database, assume they have the password hashes.

If you run Drupal on MySQL/MariaDB:

1. You're not affected by this specific CVE. But update anyway. The May 2026 security release addresses multiple issues.

If you run any CMS:

1. Know your stack. What CMS? What version? What database? What modules/plugins? If you can't answer these questions, you can't respond when a CVE drops. You're flying blind.

1. Subscribe to your CMS's security advisories. Drupal, WordPress, Joomla. When a critical advisory drops, you need to know the same day.

1. Consider whether a dynamic CMS is the right choice. If your website is primarily informational (company info, services, contact details), a static site has zero database to inject, zero admin panel to compromise, and zero plugins to backdoor. Less attack surface, less maintenance, less risk. That's how our site is built.

#Further reading

• Drupal SA-CORE-2026-004 - official security advisory
• NVD: CVE-2026-9082 - vulnerability details
• Tenable Analysis - technical breakdown
• OWASP SQL Injection Prevention - how to prevent this class of vulnerability
• CISA KEV Catalog - actively exploited vulnerabilities list