Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update

Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sites using PostgreSQL databases, with possible consequences ranging from information disclosure to privilege escalation and remote code execution. The failure, recorded as CVE-2026-9082 and with an average CVSS score of 6.5 / 10 according to CVE.org, it lies in the database abstraction layer that Drupal uses to validate and heal consultations; a defective validation allows specially designed requests to skip those protections when the backend is PostgreSQL ( CVE-2026-9082). It is important to stress that the operation can be carried out by anonymous users, which increases the urgency of applying patches.

The supported branches that already have launches that correct the problem are, inter alia, Drumal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10 and 10.4.10; Drual 7, on the other hand, is not affected. Drumal has also indicated that the publications for the supported branches include upstream updates for Symphony and Twig, so that is crucial install the full published versions and not limited to partial patches. For official instructions on how to update the kernel it is appropriate to refer to the Drupal update documentation ( Updating of Drucal Core), and to the project security page for official notices and packages ( Drumal Security).

From an operational and risk point of view, this vulnerability brings together a number of worrying factors: it only affects facilities with PostgreSQL - therefore many MySQL / MariaDB sites remain out - but the possibility of exploitation by anonymous users and the potential for climbing to remote execution makes vulnerable facilities a priority. In addition, Drupal has published hand patches such as "best effort" for end-of-life branches such as Drupal 9 and 8, but these patches do not replace full safety coverage; the EOL branches will continue to have other known vulnerabilities without official patch, so the better medium-term strategy is to migrate to a supported branch.

For managers and security officers, the immediate road map should include applying the published updates as soon as possible after a minimum validation in the test environment, making full backup before playing production and reviewing database account permissions to reduce the blast radius in case of operation. If it is not possible to update immediately by restrictions, it is appropriate to mitigate with temporary rules at the level of Web Application Firewall that block suspicious patterns, to tighten rules of access to the administrative interface and to restrict access to the database from the public network. It is also recommended to rotate database and key credentials, and secure backups.

In addition to updating, it is important to look for compromise indicators derived from SQL injections: unusual consultations, creation of unexpected administrative users, code or file modifications in the file system, presence of web shells and outgoing traffic from the server to unknown destinations. Web server and PostgreSQL log monitoring can reveal operating attempts; intrusion detection tools and file integrity analysis help confirm whether an intrusion was successful. If you detect abnormal activity, isolate the affected system and perform a forensic analysis before restoring from a secure copy.

In broader terms, this incident again highlights the need to maintain a version and patch management policy: use supported versions, automate critical updates where possible, and test upstream dependencies such as Symfony and Twig, which in this case were updated in the corrected branches. To better understand the risk of SQL injection and best practices to mitigate it at the application level, see the OWASP guidance on SQL Injection ( OWASP SQL Injection). Finally, if your organization lacks the internal capacity to respond to a possible commitment, consider hiring specialized support or incident response services to ensure full remediation and controlled recovery.