Drupal patches PostgreSQL flaw that can lead to remote code execution

Drupal has released emergency security updates for CVE-2026-9082, a PostgreSQL-specific flaw in Drupal Core that can let anonymous attackers send crafted requests and trigger arbitrary SQL injection. In the worst case, Drupal says the bug can lead to information disclosure, privilege escalation, or remote code execution.

The issue matters because it sits in Drupal's database abstraction layer, code that many site owners rarely think about because it is supposed to sanitize queries before they reach the database. When that layer breaks, the blast radius extends beyond a single module: the vulnerability affects core request handling on sites that run PostgreSQL, which means attackers may not need an authenticated account to start probing for access.

According to details highlighted by The Hacker News, the flaw only affects Drupal deployments that use PostgreSQL rather than MySQL or MariaDB. Drupal has published patched releases for supported branches including 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. Drupal 7 is not affected, while unsupported Drupal 8 and Drupal 9 branches received best-effort manual patches because of the severity of the bug.

That version list is an important signal for administrators. If a team is still running an end-of-life branch, this advisory is a reminder that unsupported software can quickly turn a database bug into a broader incident-response problem. Even for supported branches, patching only the core package is not enough if staging, backup, or secondary environments are left behind on older builds.

For security teams, the immediate job is straightforward: identify every Drupal site that uses PostgreSQL, update to the fixed branch, and review logs for suspicious unauthenticated requests touching database-facing endpoints. Source reporting came from The Hacker News, based on Drupal's security advisory and release guidance.