Drupal core highly-critical pre-auth SQL injection in database abstraction API on PostgreSQL backends (SA-CORE-2026-004)

cve · CVE-2026-9082

Coverage timeline

first 2026-05-21 → last 2026-05-21

Briefs

1 distinct

Sources cited

11 hosts

Sections touched

—

Co-occurring entities

see Related entities below

Story timeline

2026-05-21CTI Daily Brief — 2026-05-21

Source distribution

drupal.org4 (29%)
csoonline.com1 (7%)
security-hub.ncsc.admin.ch1 (7%)
securityweek.com1 (7%)
cert.pl1 (7%)
microsoft.com1 (7%)
msrc.microsoft.com1 (7%)
stepsecurity.io1 (7%)
other3 (21%)

Related entities

Drupal core highly critical pre-patch warning — PSA-2026-05-18, patch window today 17:00-21:00 UTC; pre-auth, unauthenticated, full-site compromise; no CVE yet
incidentitem:drupal-core-highly-critical-pre-patch-warning-psa-2026-05-18×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1

External references

NVD · cve.org · CISA KEV

All cited sources (14)

Items in briefs about Drupal core highly-critical pre-auth SQL injection in database abstraction API on PostgreSQL backends (SA-CORE-2026-004) (1)

UPDATE: Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only

From CTI Daily Brief — 2026-05-21 · published 2026-05-21 · view item permalink →

UPDATE (originally covered 2026-05-20): yesterday's brief carried Drupal's PSA pre-warning that a "highly critical" core advisory was scheduled for 2026-05-20; today the SA-CORE-2026-004 advisory landed with CVE-2026-9082 assigned — an anonymous SQL-injection in Drupal core's database abstraction API (CWE-89) rated 20/25 on Drupal's risk scale (Highly Critical) that affects only PostgreSQL-backed installations. Specially-crafted HTTP requests slip past sanitisation in the core DB-API layer and inject arbitrary SQL with no authentication; successful exploitation leads to information disclosure, privilege escalation and — in some database configurations — RCE. The Drupal Security Team explicitly stated that "exploits might be developed within hours or days" of advisory release (Drupal PSA, 2026-05-18).

Affected versions: 8.9.0 through 10.4.10, 10.5.x < 10.5.10, 10.6.x < 10.6.9, 11.0.0 through 11.1.10, 11.2.x < 11.2.12, 11.3.x < 11.3.10. Patched: 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 (released 2026-05-20). MySQL / MariaDB / SQLite installations are not affected by this CVE. Drupal 7 is unaffected; sites on EOL Drupal 8/9 majors must apply manual patch files. Drupal Steward WAF subscribers receive vendor-provided rules at advisory release per the service description; non-subscriber sites must apply the core update. NCSC-CH carried the advisory in its Security Hub (NCSC-CH, 2026-05-19; SecurityWeek, 2026-05-19; CSO Online, 2026-05-20).

Defender takeaway: detection — PostgreSQL slow-query logs and pg_stat_activity for abnormal SQL statements from the Drupal application user; web-server access logs for unusual URL-encoded SQL meta-characters in POST/GET parameters proxied through the Drupal DB-API layer; WAF rules targeting PostgreSQL-specific injection patterns (UNION, CAST, pg_sleep). Hardening — patch immediately on PostgreSQL backends; if patch deployment is blocked by change-control, temporarily front the site with the Drupal Steward WAF or apply a temporary WAF rule covering known SQL-injection vectors at the DB-API layer.