On May 20, 2026, the Drupal Security Team published a highly critical Drupal core security advisory: SA-CORE-2026-004, assigned CVE-2026-9082. The advisory affects Drupal core, not a contributed module, and is specifically tied to sites using PostgreSQL databases. Drupal rated the issue 20 out of 25, with a risk score of Highly critical.
This advisory followed a public service announcement, PSA-2026-05-18, issued two days earlier. In that PSA, Drupal warned site owners to reserve time for a core security release on May 20, 2026, because exploits for highly critical Drupal vulnerabilities can sometimes appear within hours or days of release.
What the vulnerability is
Drupal core includes a database abstraction API. Its job is to help Drupal safely communicate with the database and reduce the risk of unsafe queries being executed.
In this case, the vulnerability exists in that database abstraction layer. According to the advisory, an attacker can send specially crafted requests that may result in arbitrary SQL injection on Drupal sites using PostgreSQL.
SQL injection is dangerous because it can allow attackers to interfere with database queries. Depending on the application, permissions, database configuration, and exposed functionality, this can lead to serious outcomes such as:
- Information disclosure
- Unauthorized data changes
- Privilege escalation
- Remote code execution in some cases
- Chained attacks against other parts of the site
The advisory states that this vulnerability can be exploited by anonymous users, which significantly increases the risk because an attacker does not need a Drupal account to attempt exploitation.
Who is affected?
The advisory is for Drupal core, so administrators should treat it as a core platform issue rather than a contributed project issue.
The most important affected configuration noted in the advisory is Drupal sites using PostgreSQL databases.
Drupal also stated in the earlier PSA that not all configurations are affected, but site owners were urged to reserve time during the release window to determine whether their sites needed an immediate update.
That distinction matters. A Drupal site using MySQL or MariaDB may not be affected in the same way as a PostgreSQL-backed site, but administrators should still read the official advisory, confirm their exact Drupal version and database configuration, and apply the recommended updates where applicable.
Why the risk rating is so high
The advisory is rated:
- Highly critical: 20 / 25
- AC:None / A:None / CI:All / II:All / E:Theoretical / TD:Uncommon
In plain language, the most concerning parts are:
Access complexity: none. Exploitation does not require unusual conditions.
Authentication: none. Anonymous users can exploit it.
Confidentiality impact: all. Sensitive data may be exposed.
Integrity impact: all. Attackers may be able to alter data.
Exploit maturity: theoretical. At the time of publication, Drupal rated exploitation as theoretical, but the PSA warned that exploits might be developed quickly after disclosure.
Even when exploit maturity starts as theoretical, highly critical Drupal core issues deserve urgent attention because public advisories give attackers enough information to begin researching attack paths.
Why the PSA mattered
The earlier notice, PSA-2026-05-18, did not disclose full technical details. That is intentional. Security teams often publish advance warnings so organizations can prepare maintenance windows without giving attackers the details before a fix is available.
Drupal's PSA said there would be a security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. It also recommended updating to the latest supported patch release before the security window, so teams could resolve ordinary upgrade issues before the critical release landed.
That advice is practical. When a high-severity security fix is released, the last thing a team wants is to discover that Composer constraints, PHP versions, custom code, or hosting configuration are blocking the update.
What site owners should do now
Site owners should prioritize the following steps.
First, identify whether the site uses PostgreSQL. The advisory specifically calls out PostgreSQL-backed Drupal sites as affected.
Second, check the Drupal core version and update to the fixed release recommended in the official advisory. Since this is a Drupal core issue, patching contributed modules alone will not resolve it.
Third, review logs for suspicious activity. Because anonymous exploitation is possible, teams should look at web server logs, Drupal logs, reverse proxy logs, and database logs for unusual requests around and after May 20, 2026.
Fourth, treat exposed database-backed features as higher risk until patched. Search forms, filters, views, API endpoints, and custom routes may all interact with Drupal's database layer.
Finally, apply the update in a controlled but urgent way: back up the database and codebase, deploy the patched core release, clear caches, run database updates if required, and verify key user flows.
A note on Drupal Steward
The PSA stated that the issue was protected by Drupal Steward, and that sites using Drupal Steward were already protected from known attack vectors. However, Drupal still recommended upgrading soon in case additional attack vectors were discovered.
That is an important point: protection services can reduce immediate exposure, but they are not a substitute for applying the official security update.
Core, contributed projects, and PSAs: understanding the advisory categories
Drupal security notices are commonly grouped into different categories:
Drupal core advisories cover vulnerabilities in Drupal itself. SA-CORE-2026-004 belongs here.
Contributed project advisories cover modules, themes, and distributions maintained outside core.
Public service announcements, or PSAs, warn the community about upcoming releases, ecosystem-wide concerns, or other security-relevant planning information.
For this incident, the PSA came first on May 18, 2026, warning administrators to prepare. The core advisory followed on May 20, 2026, identifying the issue as a highly critical SQL injection vulnerability in Drupal core.
Bottom line
SA-CORE-2026-004 is a highly critical Drupal core SQL injection advisory affecting PostgreSQL-backed Drupal sites. The combination of SQL injection, anonymous exploitability, and potential impact to confidentiality and integrity makes it urgent.
Even if a site may not be affected, administrators should not assume safety without checking. Confirm the database backend, review the official Drupal advisory, update Drupal core as recommended, and investigate logs for suspicious activity after disclosure.
Reference: Drupal Security Advisories