VULNERABILITY OVERVIEW
A highly critical SQL injection vulnerability in Drupal Core's PostgreSQL EntityQuery condition handler (SA-CORE-2026-004) allows fully unauthenticated attackers to inject arbitrary SQL via the JSON login endpoint or JSON:API filter parameters. Successful exploitation can lead to information disclosure, privilege escalation, and in some configurations remote code execution via pg_exec(). CISA added CVE-2026-9082 to KEV on May 22, 2026 after Imperva observed over 15,000 attack attempts targeting nearly 6,000 sites across 65 countries within 48 hours of disclosure.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
Drupal 8.0.0 through 11.3.9 (PostgreSQL backends only); fixed in 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, 11.3.10CITATIONS
- → https://www.drupal.org/sa-core-2026-004
- → https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- → https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html
- → https://slcyber.io/research-center/keys-to-the-kingdom-anonymous-sql-injection-in-drupal-core-cve-2026-9082/
- → https://nvd.nist.gov/vuln/detail/CVE-2026-9082