Skip to content
.ca
sign in
4 mincritical

CVE-2026-9082: Mitigating a Critical SQL Injection Vulnerability in Drupal

A critical SQL injection vulnerability (CVE-2026-9082) in Drupal core allows unauthenticated attackers to exfiltrate sensitive data or bypass authentication. The flaw specifically affects Drupal environments utilizing a PostgreSQL database backend alongside the JSON:API, Views, or Entity autocomplete modules, stemming from the improper sanitization of PHP array keys before they reach the database abstraction layer.

Sens:ImmediateConf:highAnalyzed:2026-05-22Google

Authors: Akamai Security Research

CVE-2026-9082SQL InjectionDrupalPostgreSQL

Source:Akamai

IOCs · 1

Detection / HunterGoogle

What Happened

A critical security flaw has been found in Drupal, a popular website content management system. This vulnerability affects websites using specific database setups (PostgreSQL) and allows attackers to steal sensitive information, like user passwords, without needing to log in. It is important because it exposes core website data to anyone who knows how to send a specially crafted web request. Website administrators should immediately update their Drupal software to the latest patched versions to protect their sites.

Key Takeaways

  • A critical SQL injection vulnerability (CVE-2026-9082) in Drupal core allows unauthenticated attackers to bypass authentication and exfiltrate sensitive data.
  • The flaw exploits how PHP array keys are parsed and passed unsanitized to the PostgreSQL database driver.
  • Only Drupal environments using a PostgreSQL backend alongside JSON:API, Views exposed filters, or Entity autocomplete endpoints are affected.
  • Drupal versions 8, 9, 10, and 11 are vulnerable; Drupal 7 is structurally different and unaffected.
  • Akamai App & API Protector successfully mitigates the threat out-of-the-box via its SQL injection risk group.

Affected Systems

  • Drupal 11 (branches 11.0.x through 11.3.x)
  • Drupal 10 (branches 10.0.x through 10.6.x)
  • Drupal 9 (all versions 9.0.x through 9.5.x)
  • Drupal 8 (all versions 8.0.x through 8.9.x)
  • PostgreSQL database backends
  • JSON:API core module
  • Views exposed filters
  • Entity autocomplete endpoints

Vulnerabilities (CVEs)

  • CVE-2026-9082

Attack Chain

An unauthenticated attacker sends a crafted HTTP request containing malicious PHP array keys to a vulnerable Drupal endpoint, such as JSON:API or Views. The Drupal core preserves these array keys and passes them unsanitized to the PostgreSQL database driver. The database driver converts these keys into database placeholder names, resulting in a SQL injection. The attacker leverages this injection to bypass authentication or extract sensitive data, such as password hashes, via subquery-based blind data extraction.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Akamai App & API Protector

Akamai App & API Protector provides out-of-the-box WAF rules (950902, 959073, 981255, and 3000101) to detect and block the malicious array keys associated with this exploit.

Detection Engineering Assessment

EDR Visibility: None — This is a web application SQL injection vulnerability exploiting backend database queries; EDR tools typically do not inspect HTTP request parameters or backend SQL queries. Network Visibility: High — The exploit relies on crafted HTTP requests with malicious array keys, which can be inspected by Web Application Firewalls (WAFs) and network traffic analysis tools. Detection Difficulty: Moderate — While WAFs can detect standard SQLi patterns in the array keys, identifying the specific exploitation of this vulnerability requires deep inspection of HTTP request parameters and correlation with PostgreSQL database logs.

Required Log Sources

  • WAF logs
  • Web server access logs
  • Database query logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for anomalous HTTP requests targeting JSON:API, Views exposed filters, or Entity autocomplete endpoints containing unusual or SQL-syntax-heavy array keys.WAF logs, Web server access logsInitial AccessLow
If you have visibility into database queries, consider hunting for unexpected subqueries or blind SQL injection patterns originating from the Drupal application user against the PostgreSQL database.Database query logsCredential AccessMedium

Control Gaps

  • Lack of WAF inspection on HTTP request array keys
  • Missing database query monitoring for anomalous extraction patterns

Key Behavioral Indicators

  • HTTP requests with SQL keywords embedded in array keys rather than parameter values
  • Anomalous database queries originating from pgsql/src/EntityQuery/Condition.php

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Update Drupal core installations to the designated patch releases (Drupal 11.3.x/11.2.x, Drupal 10.6.x/10.5.x) immediately.
  • If using Akamai App & API Protector or a similar WAF, ensure the SQL injection risk group is enabled in block or deny mode.

Infrastructure Hardening

  • Evaluate whether your WAF is configured to inspect structural elements of HTTP requests, such as array keys, in addition to standard parameter values.
  • Consider implementing database query monitoring to detect anomalous data extraction patterns or subqueries.

User Protection

  • N/A

Security Awareness

  • N/A

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application

Related