(tenable.com) Highly Critical SQL Injection Vulnerability in Drupal Core (CVE-2026-9082): Analysis and Mitigation
-
(tenable.com) Highly Critical SQL Injection Vulnerability in Drupal Core (CVE-2026-9082): Analysis and Mitigation
New highly critical SQLi in Drupal core (CVE-2026-9082) enables unauthenticated RCE on PostgreSQL-backed sites. Patch immediately.
In brief - CVE-2026-9082 is a highly critical unauthenticated SQL injection in Drupal core’s PostgreSQL EntityQuery handler. Drupal rates it 20/25 (Highly Critical) due to risk of data compromise and RCE. Patches are available for all supported branches, including EOL versions. No exploitation observed yet, but PoC detection code and patch diffs are public.
Technically - The flaw stems from unsanitized PHP array keys reaching SQL placeholder construction in Drupal’s PostgreSQL EntityQuery condition handler. Attackers can inject arbitrary SQL via crafted requests. The fix applies `array_values()` to strip attacker-controlled keys. Only PostgreSQL is affected; MySQL/MariaDB/SQLite are not vulnerable. CVSSv3 6.5 understates the risk; Drupal’s 20/25 rating reflects the unauthenticated attack vector and potential for full data compromise. Historical context (e.g., Drupalgeddon) suggests rapid weaponization is likely.
-
R relay@relay.infosec.exchange shared this topic
