On May 20th, 2026, the Drupal Security Team published a new advisory disclosing a security vulnerability report in the database driver of the Drupal content management system. The issue affects installations configured to use PostgreSQL as their database, leading to a possible SQL Injection.
A few hours later, Proof of Concept exploits began surfacing on Github. We tested several variants of publically available PoCs, along with in-house developed PoCs, against the HAProxy Enterprise WAF. Our web application firewall (WAF) was engineered from the ground up for high performance and does not rely on conventional attack signatures. As a result, it frequently blocks zero-day exploits without requiring any updates, with this particular Drupal vulnerability being just the latest example.
Previously, we showed how HAProxy Enterprise WAF protected users against:
Results first: as expected, the vulnerability is not exploitable when the target is protected by the HAProxy Enterprise WAF.
Issue details
Drupal websites configured to use a PostgreSQL database are exposed to a flaw in which an attacker can craft a request that injects malicious values into array keys of specific filters, such as those used by JSON:API. Drupal passes the keys to the database layer without proper sanitization, resulting in SQL Injection.
Affected versions
Drupal 11
If you use Drupal 11.3.x, update to Drupal 11.3.10.
If you use Drupal 11.2.x, update to Drupal 11.2.12.
If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10.
Drupal 10
If you use Drupal 10.6.x, update to Drupal 10.6.9.
If you use Drupal 10.5.x, update to Drupal 10.5.10.
If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10.
Drupal 9 and 8
If you use any version of Drupal 9, try manually applying the Drupal 9.5 patch for this issue.
If you use Drupal 8.9, try manually applying the Drupal 8.9 patch for this issue.
The official patch illustrates both the root cause and the condition under which the vulnerability is triggered.
Recommended actions
Customers using the HAProxy Enterprise WAF are already protected and do not need to update or modify their rules.
This screenshot from the HAProxy Fusion Control Plane Request Explorer shows that the HAProxy Enterprise WAF detects and blocks the attack:
We strongly recommend upgrading Drupal or applying the official patch. Upgrade instructions and full advisory details are provided by the Drupal Security team at https://www.drupal.org/sa-core-2026-004.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
