Drupal Admins Scramble to Patch Critical SQL Injection Vulnerability
Drupal has issued an urgent security update to address a maximum-severity SQL injection vulnerability in its core database abstraction API, which could allow attackers to execute arbitrary SQL queries on websites using PostgreSQL databases. The flaw, if exploited, may lead to information disclosure, privilege escalation, or remote code execution (RCE).
The vulnerability affects all supported Drupal branches (11.3, 11.2, 10.6, and 10.5), with patches released on May 20. However, unsupported versions (below 11.1.x, 11.0.x, and 10.4.x) will receive best-effort patches, though Drupal strongly recommends upgrading to a supported release. Admins using Drupal 9.5 or 8.9 can apply manual patches, but migration to a modern version is advised.
The issue stems from insufficient input sanitization in Drupal’s database API, enabling attackers to craft malicious queries. While the flaw primarily impacts PostgreSQL-based sites, the update also includes fixes for Symfony (PHP framework) and Twig (template engine), which may have upstream vulnerabilities. Twig was updated to version 3.26.0, and Symfony received critical patches.
Security experts warn that exploitation could occur rapidly, as the Drupal Security Team had pre-announced the patch to allow admins time to prepare. Sites using the Drupal Steward web application firewall are temporarily protected but should still upgrade to mitigate potential new attack vectors.
Admins are urged to review PostgreSQL and firewall logs for suspicious activity and restrict Twig template access to trusted users. The incident highlights ongoing challenges with SQL injection vulnerabilities, which security professionals argue should no longer persist in modern applications.
Drupal TPRM report: https://www.rankiteo.com/company/drupal-association
"id": "dru1779323044",
"linkid": "drupal-association",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All websites using Drupal 11.3, '
'11.2, 10.6, 10.5, and '
'unsupported versions (9.5, 8.9)',
'industry': 'Technology/Software',
'name': 'Drupal',
'type': 'Content Management System (CMS)'}],
'attack_vector': 'Database Abstraction API',
'customer_advisories': 'Admins urged to apply patches, review logs, and '
'restrict Twig template access.',
'data_breach': {'type_of_data_compromised': 'Sensitive information (via '
'information disclosure)'},
'date_publicly_disclosed': '2025-05-20',
'description': 'Drupal has issued an urgent security update to address a '
'maximum-severity SQL injection vulnerability in its core '
'database abstraction API, which could allow attackers to '
'execute arbitrary SQL queries on websites using PostgreSQL '
'databases. The flaw may lead to information disclosure, '
'privilege escalation, or remote code execution (RCE).',
'impact': {'data_compromised': 'Information disclosure',
'operational_impact': 'Privilege escalation, remote code execution '
'(RCE)',
'systems_affected': 'Websites using Drupal with PostgreSQL '
'databases'},
'lessons_learned': 'Ongoing challenges with SQL injection vulnerabilities in '
'modern applications, need for stricter input sanitization '
'and proactive patching.',
'post_incident_analysis': {'corrective_actions': 'Patches for Drupal core, '
'Twig, and Symfony; '
'recommendations for log '
'monitoring and access '
'restrictions',
'root_causes': 'Insufficient input sanitization in '
'Drupal’s database abstraction API'},
'recommendations': 'Upgrade to supported Drupal versions, apply patches '
'immediately, restrict Twig template access to trusted '
'users, monitor logs for suspicious activity, and consider '
'migrating from unsupported versions.',
'references': [{'source': 'Drupal Security Advisory'}],
'response': {'adaptive_behavioral_waf': 'Drupal Steward WAF (temporary '
'protection)',
'communication_strategy': 'Pre-announcement of patch to admins, '
'public disclosure on May 20',
'containment_measures': 'Security patches released, manual '
'patches for unsupported versions, '
'temporary protection via Drupal Steward '
'WAF',
'enhanced_monitoring': 'Review PostgreSQL and firewall logs for '
'suspicious activity',
'remediation_measures': 'Upgrade to supported Drupal versions '
'(11.3, 11.2, 10.6, 10.5), apply manual '
'patches for Drupal 9.5/8.9, update Twig '
'to 3.26.0, and patch Symfony'},
'title': 'Drupal Admins Scramble to Patch Critical SQL Injection '
'Vulnerability',
'type': 'SQL Injection',
'vulnerability_exploited': 'Insufficient input sanitization in Drupal’s '
'database API'}