The Vulnerability and Its Discovery
A critical SQL injection vulnerability in Drupal’s database abstraction API is now being actively exploited in the wild, prompting urgent warnings from the project’s security team. Discovered by a researcher from Google and Mandiant, the flaw allows unauthenticated attackers to inject malicious SQL commands through specially crafted requests on websites using PostgreSQL. This can lead to severe outcomes including remote code execution, privilege escalation, and disclosure of sensitive information.
Drupal initially published a security advisory on May 18, urging administrators to prepare for immediate updates because exploitation could begin “within hours or days.” On May 22, the project confirmed that exploit attempts had been detected, upgrading the risk score and classifying the vulnerability as “highly critical” with an internal severity rating of 23 out of 25. While NIST rates it as medium severity with a CVSS score of 6.5, the active exploitation elevates the practical urgency.
Impacted Versions and Urgent Recommendations
The vulnerability affects a wide range of Drupal versions, including 8.9.x, several 10.x branches, and multiple 11.x releases up to specific patch levels. Site owners and administrators are urged to upgrade immediately to the latest version available for their Drupal branch. Even sites that do not use PostgreSQL should still apply the update, as the latest security patches also address vulnerabilities in upstream dependencies like Symfony and Twig.
Drupal warns that versions 8 and 9 have reached end-of-life status. While patches are provided on a best-effort basis for those branches, they contain other known vulnerabilities that make continued use inherently risky. Administrators should back up their sites, apply patches in a staging environment, and test critical workflows before deploying to production.
Source: BleepingComputer
