Administrators of the Drupal open source content management platform are rushing to install an emergency patch issued today to fix a “highly critical” SQL injection vulnerability in the application’s core.
While the vulnerability only affects websites that use the PostgreSQL database, there may be upstream issues with Symfony, a set of PHP packages and web application frameworks used by Drupal, and Twig, an open-source template engine for the PHP programming language. Consequently, Twig was updated to version 3.26.0, and Symfony issued a series of security advisories.
As a result, Drupal urges admins using these applications to update them as well, whether or not the SQL injection vulnerability affects their systems. Helpfully, the Drupal fix issued today includes updates for both Symfony and Twig.
The vulnerability in Drupal’s core, CVE-2026-9082, is in a database abstraction API that ensures queries against the database are sanitized to prevent SQL injection attacks.
In its warning, Drupal said a vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and, in some cases, privilege escalation, remote code execution (RCE), or other attacks.
The vulnerability can be exploited by anonymous users.
Drupal admins have known since Monday that the core security release for all supported branches was coming. Drupal Security Team had urged admins to reserve time for the updates on May 20 “because exploits might be developed within hours or days.”
The Drupal patches cover supported branches 11.3, 11.2, 10.6, and 10.5. After installing the patch, admins should update to a newer version of the software.
Versions below 11.1.x, 11.0.x and 10.4.x are end of life, and are ineligible for the official fixes. However, because of the flaw’s severity, Drupal will shortly issue unsupported patches which are provided as best effort. Users of any version of Drupal 9 can try manually applying the Drupal 9.5 patch. Users of Drupal 8.9 can try manually applying the Drupal 8.9 patch. But those unsupported versions will still contain other previously disclosed security vulnerabilities.
Drupal 7 isn’t affected.
Sites that use the Drupal Steward web application firewall are already protected from known attack vectors, but should upgrade in the near future in case additional attack vectors are discovered, the company said.
“That’s a nasty vulnerability,” commented Robert Enderle, a consultant who heads the Enderle Group. “It’s about as bad as it sounds.”
Drupal admins must patch right now, he said. Update Drupal Core immediately, based on the currently supported branch. Those who are “still dragging their feet” on unsupported, end-of-life Drupal versions 8 or 9 need to apply the manual best-effort patches provided. Better yet, he added, they should prioritize migrating to a modern version of Drupal as soon as possible.
“Don’t ignore it if you aren’t on PostgreSQL,” Enderle stressed. “Even if IT is running MySQL or SQLite and thinks they are safe from the main [Drupal] bug, they still must apply the update. This release includes critical upstream security fixes for Symfony and Twig dependencies that affect all environments.”
In addition, he said, admins need to lock down access permissions. Because of the Twig vulnerabilities, IT needs to audit who actually has the ability to update Twig templates via Views or other modules and restrict that access to trusted admins only.
Enderle also urged admins to examine their PostgreSQL and web application firewall logs for “any weird anonymous user activity or suspicious SQL queries leading up to this patch.”
Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, agreed that Drupal admins need to act immediately, because the vulnerability can be exploited by anyone with the technical knowledge to send a specially crafted query to a Postgres database, since Drupal databases can contain sensitive personal information that can be exploited by a threat actor.
It’s also frustrating, he said, that SQL injection vulnerabilities are still being found. “As an industry, we’re running out of excuses” for why they continue to pop up in applications, he said. This and similar SQL injection vulnerabilities speak to weaknesses in the application development lifecycles of some organizations.
No Responses