View all Blog Posts
Security
May 28, 2026

Is Drupal 7 affected by CVE-2026-9082 (SA-CORE-2026-004)?

The Drupal Security Team's May 20 advisory leaves Drupal 7 site owners with no answer — not vulnerable, not safe, just unchecked. Here's how we audited core and contrib modules to confirm D7 is not exposed to this highly critical SQL injection.

Give me the TL;DR
Is Drupal 7 affected by CVE-2026-9082 (SA-CORE-2026-004)?
For Qualys admins, NES for .NET directly resolves the EOL/Obsolete Software:   Microsoft .NET Version 6 Detected vulnerability, ensuring your systems remain secure and compliant. Fill out the form to get pricing details and learn more.
Drupal 7 is not affected by CVE-2026-9082 / SA-CORE-2026-004, the highly critical SQL injection the Drupal Security Team published on May 20. The vulnerable code lives in a Drupal 8+ subsystem that doesn't exist in D7, and our audit of contrib modules across NES for Drupal 7 customer environments found no module reproducing it. Below, we walk through the patch, our verification methodology, and what post-EOL Drupal 7 support looks like in practice.

What is CVE-2026-9082 (SA-CORE-2026-004)?

On May 20, 2026, the Drupal Security Team published SA-CORE-2026-004, tracked as CVE-2026-9082. The advisory describes a SQL injection vulnerability in Drupal core's database abstraction API. The flaw is exploitable by anonymous users, requires no authentication, and only affects sites running on PostgreSQL.

The advisory is rated highly critical, with a risk score of 23 out of 25. Two days after publication, the Drupal Security Team updated the advisory to confirm that exploit attempts were being detected in the wild.

Affected versions span specific point-version ranges across Drupal 8.9 through 11.3.x. The Security Team included best-effort patches for Drupal 8.9 and 9.5 even though both branches are already past end-of-life. Successful exploitation can result in information disclosure, privilege escalation, and in some configurations, remote code execution.

Why the advisory doesn't mention Drupal 7

Drupal 7 reached community end-of-life on January 5, 2025. Its branch is no longer in scope for the Drupal Security Team's work. The Team is made up of volunteers, and their charter ends at the supported branch boundary. They cannot be expected to audit every advisory against a codebase that has been formally unsupported for more than a year.

Unfortunately, that is what a Drupal 7 site owner is left with when they read SA-CORE-2026-004. The advisory doesn't say D7 is vulnerable. It also doesn't say D7 is safe. The absence of D7 from the advisory isn't a clean bill of health. It's that D7 wasn't checked to begin with.

This isn't unique to SA-CORE-2026-004. It's the recurring shape of every core security advisory issued after a major version goes end-of-life. Patches ship for supported branches. Drupal 7 site owners are left to do their own analysis, source extended support from a third party, or skip it and hope.

How did HeroDevs verify that  Drupal 7 isn't affected by CVE-2026-9082?

We started with the public patch. Patches are usually more informative than advisory text. They show you exactly which code paths were vulnerable and what the fix changes about them.

The vulnerable code lives in a subsystem of Drupal core that was introduced in Drupal 8 and doesn't exist in Drupal 7. Different files, different APIs, different architecture. The vulnerable surface in core isn't present in D7 to begin with.

Core was the easy half. The harder question is whether the same pattern lives in any of the contrib modules we've released to our customers, including ones written years ago and never reviewed against this particular class of bug. So we evaluated the modules we've released, and searched for the exploitable code from the patch.

A handful of candidates looked structurally similar on the first scan. On more in-depth review, none of them implemented the vulnerable pattern.

Drupal 7 is not affected by CVE-2026-9082

Drupal 7 is not exposed to the SQL injection vulnerability described in SA-CORE-2026-004. The vulnerable code path doesn't exist in D7 core, and our contrib audit across deployed customer environments found no module implementing the same pattern. NES customers should continue applying scheduled updates as they ship, but no emergency action is required from you in response to this particular advisory.

What Never-Ending Support for Drupal 7 actually means

Every core security advisory issued after January 5, 2025 creates the same question for a Drupal 7 site owner: is my site affected? The upstream advisory can't answer that anymore. Someone has to.

For our customers, that someone is us. We do this on every Drupal core SA, and we publish the vulnerabilities that do affect D7 (and our other products) in our vulnerability directory.

Sometimes the answer is a backported Drupal 7 security patch we ship to your environment. Sometimes the answer is what it is today: D7 isn't affected, and here's why. Both outcomes take real work, and both are part of what NES means.

The question of "Should I be worried?" reaches further than just Drupal 7. Across the open-source ecosystem, the gap between a patch being published and a site owner knowing whether they're affected keeps widening. After EOL, the advisory stops being the answer. It becomes the question someone else has to answer for you.

NES customers: you're covered

You're not exposed to SA-CORE-2026-004 and no action is required from you for this advisory. Keep applying scheduled updates as they ship.

Running Drupal 7 without extended support?

The Drupal Security Team will keep publishing core advisories. None of them will tell you whether your D7 site is affected. That's not their job after EOL. Someone has to do that work on every advisory. For our customers, that's us. You can see the running log in our vulnerability directory.

Talk to us about NES for Drupal 7 →

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004. https://www.drupal.org/sa-core-2026-004

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004. https://www.drupal.org/sa-core-2026-004

Drupal 7 End of Life. https://www.drupal.org/about/drupal-7/d7eol

Share via:
facebook
LinkedIn
X (twitter)
Table of Contents
Read full article
Author
JD Flynn
Sr. Software Engineer
Open Source Insights Delivered Monthly

Related Blog Posts

CVE-2026-44573, CVE-2026-44577, CVE-2026-44572: Three Next.js Vulnerabilities Affecting EOL versions
Security
May 26, 2026
CVE-2026-44573, CVE-2026-44577, CVE-2026-44572: Three Next.js Vulnerabilities Affecting EOL versions
Three New Next.js CVEs: Middleware Bypass, Image DoS, and Cache Poisoning in EOL Versions. Here is what each one does, who is exposed, and how to resolve them.
68% of Codebases Contain License Conflicts and AI-Generated Code Is Making It Worse
Compliance
May 26, 2026
68% of Codebases Contain License Conflicts and AI-Generated Code Is Making It Worse
The 2026 OSSRA report documents the largest year-over-year increase in license conflicts in 11 years of data. The driver is AI-generated code — and most organizations are not evaluating it for IP risk.
The Verification Bottleneck: Why AI Found 12 OpenSSL Zero-Days While Curl Killed Its Bug Bounty
Thought Leadership
May 26, 2026
The Verification Bottleneck: Why AI Found 12 OpenSSL Zero-Days While Curl Killed Its Bug Bounty
The same AI capability that delivered 12 of 12 verified OpenSSL zero-days also killed the curl bug bounty program. Verification — not discovery — is now the bottleneck defining open source security.