Publié le

Urgent: Critical SQL injection in Drupal Core (SA-CORE-2026-004) – Update your Drupal

Mathieu LE CAIN
Expert E-Commerce, Drupal, IA / RAG / MCP & OroCommerce
Drupal
Cyber security
Share on LinkedIn

 

A critical (20/25) vulnerability has just been published in Drupal Core: including a SQL injection exploitable by anonymous users, affecting only sites using PostgreSQL. Attackers could steal data, escalate privileges, or execute remote code.

At IOSAN, we have already secured our clients' sites. What about yours?

Is your site affected?

  • Drupal version: All versions from 8.9.0 to 11.3.9 (except patched).
  • Database: PostgreSQL only (MySQL/MariaDB are not affected by this vulnerability).
  • Other risks: Even with MySQL, this update also fixes critical vulnerabilities in Symfony and Twig.

See https://www.drupal.org/sa-core-2026-004

 

Secure your Drupal site today.

An IOSAN expert assesses your exposure and quickly proposes a tailored solution.

 

Technical Explanations

Why only PostgreSQL ?

The PostgreSQL driver in Drupal mishandles associative arrays in SQL queries (e.g., IN clauses). An attacker can inject SQL via array keys.

Correction example:

if (is_array($condition['value'])) {
  $condition['value'] = array_values($condition['value']); // Supprime les clés
}

The MySQL driver uses positional values and does not consider keys.

Other fixed vulnerabilities (Symfony & Twig)

Even if you don't use PostgreSQL, this update includes:

  • Symfony: Undisclosed vulnerabilities (high risk).
  • Twig: A vulnerability allows bypassing restrictions on calling __toString() on objects, potentially leaking sensitive data.

Exploitation example (Twig):

{% trans %}{{ non_authorized_object|somefilter }}{% endtrans %}

If non_authorized_object::__toString() returns sensitive information (e.g., API keys, passwords), an attacker can retrieve it via malicious templates.

→ Action:

  • Update even if you use MySQL.
  • Audit the roles that can modify Twig templates (e.g., via Views or contrib modules).

What to do?

Update to:

  • Drupal 11.3.x → 11.3.10
  • Drupal 11.2.x → 11.2.12
  • Drupal 11.1.x/11.0.x → 11.1.10
  • Drupal 10.6.x → 10.6.9
  • Drupal 10.5.x → 10.5.10
  • Drupal 10.4.x → 10.4.10
  • Drupal 9.5.x/8.9.x → Manual patch (official link)

 

IOSAN maintains your Drupal site

Our web and digital transformation agency supports you 360° on your digital projects, before, during, and after their implementation.

Our values: expertise, responsiveness, and pragmatism in a long-term relationship with our clients.

Drupal
Cyber security

This content is licensed under the terms of the Creative Commons Attribution-NoDerivatives 4.0 International License.
You are free to:

  • Share — copy and redistribute the material in any medium or format, provided that:
    • You give appropriate credit (mention the name IOSAN and provide a link to the original article),
    • You do not modify the content,
    • You do not use this content for commercial purposes without written permission.

Related posts

Authentification forte de Paiement (SCA) ou DSP2, on prend son temps
Actualité

Authentification forte de Paiement (SCA) ou DSP2, on prend son temps

Strong Customer Authentication (SCA) : Paiements en ligne avec authentification forte
Actualité

Strong Customer Authentication (SCA) : Paiements en ligne avec authentification forte

Drupal Europe 2018 - Open Source E-commerce solutions : Stop to compare, start to analyze
Événement

Drupal Europe 2018 - Open Source E-commerce solutions : Stop to compare, start to analyze