Drupal has released an urgent security update patching a highly critical vulnerability (CVE-2026-9082) in Drupal Core that allows complete takeover of affected websites. The flaw lives in a core database API that validates queries: an attacker can send specially crafted web requests to inject arbitrary SQL commands without needing to log in. On sites running a PostgreSQL database, this can lead to sensitive data theft, privilege escalation, and full remote code execution. Working proof-of-concept exploit code has already been published, raising the risk that attacks could begin quickly.
Drupal released patched versions on May 20, 2026 for all supported branches. Website owners should update as soon as possible — there is no workaround short of applying the patch. If you run a Drupal site as a personal project, small business, or nonprofit, your hosting provider may have auto-applied the update; log in to your site’s admin dashboard and check the status report under Reports → Status report to confirm you are on a patched release.
How to check if you’re affected
Affected versions include Drupal 10.5, 10.6, 11.2, and 11.3 when the site is running on a PostgreSQL database. Visit your site’s Reports → Status report page and look at the “Drupal” row — if it shows any of those version numbers with no patch suffix, update immediately. Sites using MySQL or SQLite are not vulnerable to this specific issue.