The Drupal Security Team recently released a highly critical security advisory, SA-CORE-2026-004 (CVE-2026-9082). While the headline highlights a severe SQL injection vulnerability, many site administrators are left wondering if they need to take action if they aren't using the affected database system.
Here is a simple breakdown of who is directly impacted and why an immediate update is necessary for all Drupal 10 and 11 websites.
1. Who is Directly Impacted?
The core vulnerability (SQL injection) lives within Drupal’s Database Abstraction API. Under specific conditions, anonymous users can exploit this flaw by sending malicious requests to run unauthorized database commands.
Directly Vulnerable: This specific SQL injection flaw only affects websites running on PostgreSQL.
Safe from SQLi: Websites running on MySQL, MariaDB, or SQLite are safe from this specific database exploit.
2. Why Non-PostgreSQL Users Must Still Update
If your website relies on MySQL or SQLite, you are safe from the SQL injection, but you should still apply this update immediately due to two major reasons:
Bundled Symfony and Twig Security Patches: This Drupal release includes vital security updates from major upstream libraries that Drupal relies on—specifically Symfony and Twig. These projects fixed serious flaws at the same time.
Universal Risk Factors: Depending on your site's configuration and which contributed modules you have installed, your site could still be vulnerable to separate security risks coming from these unpatched Symfony or Twig components.
3. How to Update Drupal 10 / 11 (Composer & Drush Commands)
To secure your site, run the following standard commands in your project root directory.
Step 1: Update Drupal Core and all its dependencies (including Symfony/Twig)
composer update drupal/core-recommended drupal/core-composer-scaffold drupal/core-project-message --with-all-dependencies(Alternative: If your project template uses individual core packages, use composer update "drupal/core-*" instead)
Step 2: Run database updates via Drush
vendor/bin/drush updatedb(or short command: vendor/bin/drush updb)
Step 3: Rebuild the Drupal cache
vendor/bin/drush cache:rebuild(or short command: vendor/bin/drush cr)