X
Akamai to acquire LayerX to enforce AI usage control on any browser. Get details
Akamai
Login
Login Close
Control Center
Access the Akamai platform
Login Close
Cloud Manager
Manage your cloud resources

CVE-2026-9082: Mitigating a Critical SQL Injection Vulnerability in Drupal

Share

Executive summary

  • Details have emerged regarding a highly complex SQL injection (SQLi) vulnerability that is impacting Drupal core. It is officially tracked as CVE-2026-9082 and detailed in the vendor advisory SA-CORE-2026-004
  • Unlike traditional SQL injection flaws that target parameter values, this unique vulnerability exploits how PHP array keys are parsed and converted into database placeholder names.
  • The vulnerability primarily affects Drupal environments which utilize a PostgreSQL database back end in conjunction with the JSON:API core module, Views exposed filters, or Entity autocomplete endpoints. 
  • If the vulnerability is successfully exploited, an unauthenticated attacker could bypass authentication, exfiltrate sensitive data (such as user password hashes), or perform subquery-based blind data extraction.
  • Akamai researchers have analyzed the exploit mechanics and confirmed that customers who are using the standard SQL injection risk group in Akamai App & API Protector are actively protected against this threat.

Vulnerability details

At the core of CVE-2026-9082 is a breakdown in how external input is sanitized before reaching the database abstraction layer. Specifically, the vulnerability resides within the PostgreSQL database driver (pgsql/src/EntityQuery/Condition.php) when handling array structures passed from HTTP requests.

When a user submits a query string, PHP's parser allows the creation of arrays which allow the attacker to control the array keys, not just the values. The JSON:API module (and similar pipelines like Views) preserves these array keys through the entire execution flow. The unsanitized keys move from the initial HTTP request into the EntityQuery construction, and are eventually passed directly to the database driver.

Is your Drupal version vulnerable?

This vulnerability requires a specific environmental stack to be exploitable. You are at risk if your Drupal site uses a PostgreSQL database and relies on the JSON:API, Views, or related routing modules.

Site administrators should immediately cross-reference their current deployments with the official Drupal security advisory (SA-CORE-2026-004) and update their core installations to the designated patch releases across all supported branches (Drupal 10 and 11).

The vulnerable versions include:

  • Drupal 11

    • Supported branches: 11.3.x and 11.2.x

    • Retired branches: 11.1.x and 11.0.x

  • Drupal 10

    • Supported branches: 10.6.x and 10.5.x

    • Retired branches: 10.4.x through 10.0.x

  • Legacy versions (Drupal 8 and 9)

    • Drupal 9: All versions (9.0.x through 9.5.x)

    • Drupal 8: All versions (8.0.x through 8.9.x)

Note: Drupal 7 is structurally different and does not include the JSON:API module in core, meaning that it would not be affected by this specific exploit chain.

Mitigation with Akamai App & API Protector

Akamai's threat research team has tested known exploit payloads against Akamai App & API Protector. We can confirm that the existing web application firewall (WAF) engine successfully detects and mitigates this vulnerability out of the box. We will continue to monitor this situation for additional information and will make any necessary updates.

Customers who have enabled the SQL injection risk group in block or deny mode are protected from these attacks. The malicious array keys trigger multiple, highly accurate SQLi anomaly and injection rules (including rules 950902, 959073, 981255, and 3000101) upon inspection of the decoded request parameters.

Summary

CVE-2026-9082 serves as a stark reminder that application security must account for the entire data lifecycle. This includes not only the data values but also structural elements like array keys.

Although the Akamai App & API Protector SQL injection risk group provides an immediate and robust layer of defense against these attacks, we strongly advise all organizations to apply the official Drupal core updates as part of their critical patch management cycle.

Stay tuned

The Akamai Security Intelligence Group will continue to monitor the exploitation landscape surrounding CVE-2026-9082 and provide updates as the situation evolves. To keep up with more breaking news from the Akamai Security Intelligence Group, check out our research home page and follow us on social media.

Read more research

Tags

Share

Related Blog Posts

Akamai has proactively deployed an Adaptive Security Engine Rapid Rule to protect our customers from this threat.
Akamai has proactively deployed an Adaptive Security Engine Rapid Rule to protect our customers from this threat.
Security Research
CVE-2026-42945: Mitigating a Critical Heap Buffer Overflow Vulnerability in NGINX
May 18, 2026
Discover CVE-2026-42945 (NGINX Rift), a critical heap buffer overflow vulnerability. Learn about the affected versions and critical patch updates.
Read blog
One of the malicious domains observed here was ranked in the top 200,000 sites for associated keywords.
One of the malicious domains observed here was ranked in the top 200,000 sites for associated keywords.
Security Research
Analyzing Malicious CrowdStrike Domains: Who Is Affected and What Could Come Next
July 26, 2024
Akamai researchers examine attack traffic to sites purporting to be associated with mitigation of or assistance with the CrowdStrike BSOD incident.
Read blog
Every previous wave began with a stolen credential. This one did not.
Every previous wave began with a stolen credential. This one did not.
Research
Mini Shai-Hulud: The Worm Returns and Goes Public
May 15, 2026
Read about the 2026 Shai-Hulud supply chain attack: Discover how TeamPCP uses CI cache poisoning and OIDC abuse inside the malicious payload.
Read blog