A critical SQL injection vulnerability (CVE-2026-9082) in Drupal core allows unauthenticated attackers to exfiltrate sensitive data or bypass authentication. The flaw specifically affects Drupal environments utilizing a PostgreSQL database backend alongside the JSON:API, Views, or Entity autocomplete modules, stemming from the improper sanitization of PHP array keys before they reach the database abstraction layer.