Imunify360 Protects Against Drupal SQL Injection (CVE-2026-9082)

TL;DR: If you run Imunify360 with the WAF (ModSecurity) enabled, you are already protected against Drupal SQL Injection (CVE-2026-9082). The detection rule was deployed automatically on the same day Drupal disclosed the vulnerability. No action is required on your side.

What happened

On May 20, 2026, the Drupal Security Team disclosed CVE-2026-9082, a SQL injection vulnerability in Drupal core’s database abstraction API (SA-CORE-2026-004). The flaw can be exploited by an unauthenticated attacker and is rated 6.5 MEDIUM under CVSS v3.1. Successful exploitation can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.

The vulnerability only affects sites using PostgreSQL as the Drupal database. Sites running on MySQL or MariaDB are not affected.

Affected Drupal versions:

Drupal 8.9.0 and later 8.x releases
All of Drupal 9.x
Drupal 10.4.0 through 10.4.9, 10.5.0 through 10.5.9, 10.6.0 through 10.6.8
Drupal 11.0.0 through 11.1.9, 11.2.0 through 11.2.11, 11.3.0 through 11.3.9

Drupal 7 is not affected.

What we did

Our WAF Protection Team tracked the pre-disclosure advisory (PSA-2026-05-18) ahead of the public release and had a response plan staged before the embargo lifted. Within hours of the full disclosure, we analyzed the vulnerability, authored a ModSecurity detection rule, validated it against false positives, and shipped it in the modsec-8.11 ruleset update.

The WAF rule is live and has been applied automatically to all Imunify360 servers with the Web Application Firewall / ModSecurity component enabled. Both the classic libmodsec engine and the newer Coraza engine are covered.

What you need to do

If WAF/ModSec is enabled in Imunify360: nothing. You are protected. The rule is already active and blocking exploit attempts.
If WAF/ModSec is disabled: we strongly recommend enabling it in the Imunify360 dashboard under Settings > WAF. This gives you immediate virtual patching while you plan your Drupal core upgrade.
Regardless of WAF status, update Drupal to a patched version as soon as possible. The supported patched releases are 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10 . For end-of-life branches (Drupal 8.9.x and 9.5.x), Drupal has published manual patch files alongside SA-CORE-2026-004. Those sites can apply the patch directly but should plan a full upgrade to a supported branch. WAF rules are a safety net, not a substitute for patching.

Scope

The vulnerability affects a significant portion of the Drupal ecosystem. Across the Imunify360 fleet, we see many Drupal 8/9/10/11 installations that would have been exposed without this protection. The rule is designed to catch the known exploitation patterns with minimal false-positive risk, and provides a meaningful safety net particularly for EOL Drupal 8 and 9 sites that no longer receive automated security updates.

Stay informed

We will continue monitoring exploit activity in the wild and will update the ruleset if new attack variants emerge. If you have questions or notice any issues with the new rule, contact our support team.

For the full technical advisory, see SA-CORE-2026-004 on drupal.org.

Comments

Please log in to leave a comment. Published comments are visible to everyone.