it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Highly critical - SQL injection - SA-CORE-2026-004
- Date: Wed, 20 May 2026 18:08:22 +0000
- Archived-at: <>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=Cjp4N2m5; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b="HHzncHd/"; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=vxcrxf6t; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 066B74167F
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 71D7D83C22
- Dmarc-filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 71D7D83C22
- Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
- List-archive: <>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2026-004
Project: Drupal core [1]
Date: 2026-May-20
Security risk: *Highly critical* 20 ∕ 25
AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: SQL injection
Affected versions: >= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 <
10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10
CVE IDs: CVE-2026-9082
Description:
Drupal core includes a database abstraction API to ensure that queries
executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted
requests, resulting in arbitrary SQL injection for sites using PostgreSQL
databases. This can lead to information disclosure, and in some cases
privilege escalation, remote code execution, or other attacks.
This vulnerability can be exploited by anonymous users.
This vulnerability *only affects sites using PostgreSQL*. However, the
dependency updates in this release apply to all sites.
.... Upstream security advisories
The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in
this advisory also include security updates for Symfony and Twig. Those
projects have released important Security Advisories [3] that were
coordinated with this Drupal release, and Drupal is affected by some of the
vulnerabilities.
Depending on your site configuration and contrib modules, you may be
vulnerable to one or more of these upstream issues, so *updating these
dependencies is highly recommended whether the SQL Injection vulnerability
affects you or not*. It is also recommended to review which user roles have
the ability to update Twig templates, for example via Views or contributed
modules.
Solution:
Install the latest version.
*The following releases will be available as soon as automated release
packaging is complete.* You may receive a 404 in the interim. The updates may
also be available on Packagist sooner.
.. Drupal 11
* If you use Drupal 11.3.x, update to Drupal 11.3.10 [4].
* If you use Drupal 11.2.x, update to Drupal 11.2.12 [5].
* If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10 [6].
.. Drupal 10
* If you use Drupal 10.6.x, update to Drupal 10.6.9 [7].
* If you use Drupal 10.5.x, update to Drupal 10.5.10 [8].
* If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10 [9].
.. Drupal 9 and 8
* If you use any version of Drupal 9, try manually applying the Drupal 9.5
patch for this issue [10].
* If you use Drupal 8.9, try manually applying the Drupal 8.9 patch for this
issue [11].
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do
not receive security coverage. (Drupal 8 [12] and Drupal 9 [13] have both
reached end-of-life.) Due to this issue's severity, the unsupported releases
and patches for unsupported versions are provided as a best effort. Those
unsupported versions /will/ still have other, previously disclosed security
vulnerabilities.
Reported By:
* Michael Maturi (michaelmaturi) [14]
Fixed By:
* Björn Brala (bbrala) [15]
* Benji Fisher (benjifisher) [16] of the Drupal Security Team
* catch (catch) [17] of the Drupal Security Team
* Lee Rowlands (larowlan) [18] of the Drupal Security Team
* Dave Long (longwave) [19] of the Drupal Security Team
* Drew Webber (mcdruid) [20] of the Drupal Security Team
* Jess (xjm) [21] of the Drupal Security Team
Coordinated By:
* Anna Kalata (akalata) [22] of the Drupal Security Team
* Benji Fisher (benjifisher) [23] of the Drupal Security Team
* catch (catch) [24] of the Drupal Security Team
* Damien McKenna (damienmckenna) [25] of the Drupal Security Team
* Neil Drumm (drumm) [26] of the Drupal Security Team
* Greg Knaddison (greggles) [27] of the Drupal Security Team
* Heine Deelstra (heine) [28] of the Drupal Security Team
* Tim Hestenes Lehnen (hestenet) [29]
* Dave Long (longwave) [30] of the Drupal Security Team
* Drew Webber (mcdruid) [31] of the Drupal Security Team
* Juraj Nemec (poker10) [32] of the Drupal Security Team
* Pierre Rudloff (prudloff) [33] of the Drupal Security Team
* Jess (xjm) [34] of the Drupal Security Team
* Cathy Theys (yesct) [35] of the Drupal Security Team
Security
issue:
https://git.drupalcode.org/security/185145-drupal-security/-/work_items/1
[36]
------------------------------------------------------------------------------
Contribution record [37]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://symfony.com/blog/category/security-advisories
[4] https://www.drupal.org/project/drupal/releases/11.3.10
[5] https://www.drupal.org/project/drupal/releases/11.2.12
[6] https://www.drupal.org/project/drupal/releases/11.1.10
[7] https://www.drupal.org/project/drupal/releases/10.6.9
[8] https://www.drupal.org/project/drupal/releases/10.5.10
[9] https://www.drupal.org/project/drupal/releases/10.4.10
[10] https://www.drupal.org/files/issues/2026-05-20/SA-CORE-2026-004-9.5.patch
[11] https://www.drupal.org/files/issues/2026-05-20/SA-CORE-2026-004-8.9.patch
[12] https://www.drupal.org/psa-2021-06-29
[13] https://www.drupal.org/psa-2023-11-01
[14] https://www.drupal.org/u/michaelmaturi
[15] https://www.drupal.org/u/bbrala
[16] https://www.drupal.org/u/benjifisher
[17] https://www.drupal.org/u/catch
[18] https://www.drupal.org/u/larowlan
[19] https://www.drupal.org/u/longwave
[20] https://www.drupal.org/u/mcdruid
[21] https://www.drupal.org/u/xjm
[22] https://www.drupal.org/u/akalata
[23] https://www.drupal.org/u/benjifisher
[24] https://www.drupal.org/u/catch
[25] https://www.drupal.org/u/damienmckenna
[26] https://www.drupal.org/u/drumm
[27] https://www.drupal.org/u/greggles
[28] https://www.drupal.org/u/heine
[29] https://www.drupal.org/u/hestenet
[30] https://www.drupal.org/u/longwave
[31] https://www.drupal.org/u/mcdruid
[32] https://www.drupal.org/u/poker10
[33] https://www.drupal.org/u/prudloff
[34] https://www.drupal.org/u/xjm
[35] https://www.drupal.org/u/yesct
[36] https://git.drupalcode.org/security/185145-drupal-security/-/work_items/1
[37] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3591142
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] Drupal core - Highly critical - SQL injection - SA-CORE-2026-004, security-news, 20.05.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.