Drupal SA-CORE-2026-004: No-Auth SQL Injection Threatens Every PostgreSQL-Backed Site

On May 20, 2026, Drupal's Security Team dropped SA-CORE-2026-004 — a highly critical SQL injection vulnerability scoring 20 out of 25 on Drupal's severity scale. The flaw requires no authentication, no special privileges, and no complex attack chain. Any anonymous visitor can exploit a vulnerable Drupal site running PostgreSQL, and the Security Team has explicitly warned that weaponized exploits could appear within hours of disclosure. For Saudi organizations relying on Drupal for portals, intranets, or customer-facing platforms, this is a patch-now-or-regret-later situation.

What Makes SA-CORE-2026-004 So Dangerous

The vulnerability is a classic SQL injection, but its characteristics push it into the worst-case category. The access complexity is rated "None" — meaning no elaborate setup, no social engineering, and no insider access is needed. The authentication requirement is also "None," which means an unauthenticated attacker sitting anywhere on the internet can fire a crafted request at a vulnerable endpoint and interact directly with the underlying PostgreSQL database. The Drupal Security Team assigned the advisory identifier PSA-2026-05-18 two days before the patch to give administrators lead time, a step they reserve exclusively for the most severe issues.

The vulnerability specifically affects Drupal installations backed by PostgreSQL databases. While many Drupal deployments use MySQL or MariaDB, PostgreSQL is the database of choice for enterprise and government deployments where advanced data types, JSONB support, and strict ACID compliance matter — precisely the kind of environments common in regulated industries.

Affected Versions and the Patch Matrix

The scope is sweeping. Every Drupal release from 8.9.0 onward is affected if running on PostgreSQL. Specifically, the vulnerable ranges include Drupal 10.4.0 through 10.4.9, 10.5.0 through 10.5.9, 10.6.0 through 10.6.8, 11.0.0 through 11.1.9, 11.2.0 through 11.2.11, and 11.3.0 through 11.3.9. Patched releases are 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. Organizations running end-of-life Drupal 8 or 9 branches with PostgreSQL have no official patch and must migrate or implement compensating controls immediately.

The fix was released between 17:00 and 21:00 UTC on May 20, 2026. As of this writing, less than 24 hours have passed since disclosure. Historical precedent — including Drupalgeddon (SA-CORE-2014-005) and Drupalgeddon2 (SA-CORE-2018-002) — shows that mass exploitation typically begins within 3 to 6 hours of a Drupal critical patch release. Automated scanners were already probing for unpatched endpoints by midnight UTC.

Impact on Saudi Financial Institutions and Regulated Entities

Saudi banks, insurance companies, fintech firms, and capital market institutions frequently deploy Drupal for investor relations portals, knowledge bases, internal wikis, and customer self-service platforms. Many of these installations sit behind a WAF but remain vulnerable to SQL injection payloads that bypass generic rule sets — especially when the injection targets PostgreSQL-specific syntax that WAF signatures may not cover out of the box.

Under SAMA's Cyber Security Framework (CSCC), Domain 3 (Cybersecurity Operations and Technology) mandates timely vulnerability remediation aligned with asset criticality. A no-authentication SQL injection on a customer-facing portal hosting personal financial data triggers obligations under both the CSCC and the Personal Data Protection Law (PDPL). If exploited, the breach notification clock starts ticking — SAMA expects incident reporting within hours, not days. The NCA's Essential Cybersecurity Controls (ECC 2:2024), specifically Control 2-3-1 on vulnerability management, requires organizations to apply critical patches within a risk-appropriate window, which for a CVSS-equivalent critical flaw means 48 hours at most.

The recently released NCNICC-1:2025 framework extends NCA's mandatory cybersecurity requirements to all private-sector companies operating in Saudi Arabia, regardless of Critical National Infrastructure designation. This means even mid-size firms running Drupal on PostgreSQL for their corporate website now fall under regulatory scrutiny if they fail to patch promptly.

Why SQL Injection Remains a Tier-One Threat in 2026

Despite decades of awareness, SQL injection consistently ranks among the top three web application vulnerabilities. Verizon's 2026 DBIR confirmed that vulnerability exploitation — including injection flaws — has overtaken credential theft as the leading initial access vector, accounting for 31% of analyzed breaches. SQL injection is particularly devastating because it often provides direct read and write access to the database, enabling data exfiltration, privilege escalation, and in some configurations, operating system command execution via PostgreSQL's COPY TO/FROM PROGRAM functionality.

The Drupal ecosystem's open-source nature means attackers can diff the patched code against the vulnerable version and reverse-engineer a working exploit in minutes. This is not theoretical — it is the exact playbook that produced mass scanning within hours of Drupalgeddon2 in 2018. Organizations that delay patching by even 24 hours are playing a losing game against automated exploit kits.

Recommendations and Immediate Action Steps

1. Patch immediately. Update all Drupal installations to the latest patched release within your branch (10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10). If you cannot patch within 4 hours, take the site offline or place it behind a maintenance page.
2. Identify your database backend. Run drush status or check settings.php for the database driver. If you see pgsql, your site is in the vulnerable category. MySQL and MariaDB installations are not affected by this specific flaw.
3. Deploy WAF rules targeting PostgreSQL injection patterns. Update your Web Application Firewall with rules that block common PostgreSQL injection payloads including stacked queries, COPY statements, and dollar-quoted strings. This is a temporary mitigation, not a substitute for patching.
4. Audit PostgreSQL logs for anomalies. Review database logs from the past 72 hours for unusual query patterns, failed syntax errors from injection attempts, or unexpected COPY commands. Enable log_statement = 'all' temporarily if not already active.
5. Check for indicators of compromise. Look for newly created database roles, unexpected tables, modified content, or unfamiliar files in Drupal's sites/default/files directory. SQL injection through PostgreSQL can sometimes chain into file-write primitives.
6. Report to your regulator if compromised. If evidence of exploitation is found, initiate your incident response plan and notify SAMA (for financial institutions) or the NCA's National CERT per your regulatory obligations. Under PDPL, any personal data exposure requires notification to the SDAIA within the prescribed timeframe.
7. Migrate end-of-life Drupal versions. If you are running Drupal 8 or 9 on PostgreSQL, no patch will be provided. Plan an emergency migration to a supported branch or switch your database backend to MySQL/MariaDB as an interim measure.

Conclusion

SA-CORE-2026-004 is the kind of vulnerability that separates organizations with mature patch management processes from those that learn the hard way. A zero-authentication SQL injection on an enterprise-grade CMS running on PostgreSQL is a textbook critical finding, and the exploitation window is measured in hours. Saudi organizations — especially those under SAMA and NCA oversight — should treat this as a P0 incident and patch before the next business day begins.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and vulnerability management review to ensure your web infrastructure meets SAMA CSCC and NCA ECC standards.