CVE-2026-6366: Drupal Core Object Injection Vulnerability

CVE-2026-6366 Overview

CVE-2026-6366 is an object injection vulnerability in Drupal core caused by improperly controlled modification of dynamically-determined object attributes [CWE-915]. The flaw affects multiple Drupal core release branches and allows an authenticated attacker with high privileges to manipulate object attributes during runtime. Successful exploitation can compromise the confidentiality, integrity, and availability of the affected Drupal installation. The vendor addressed the issue in advisory SA-CORE-2026-002 with fixed releases across the 10.5.x, 10.6.x, 11.2.x, and 11.3.x branches.

Critical Impact

An authenticated attacker can inject crafted objects into Drupal core to manipulate application state, potentially leading to data tampering, information disclosure, and service disruption.

Affected Products

• Drupal core 8.0.0 up to (excluding) 10.5.9
• Drupal core 10.6.0 up to (excluding) 10.6.7
• Drupal core 11.0.0 up to (excluding) 11.2.11 and 11.3.0 up to (excluding) 11.3.7

Discovery Timeline

• 2026-05-19 - CVE-2026-6366 published to NVD
• 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-6366

Vulnerability Analysis

The vulnerability is classified under [CWE-915]: Improperly Controlled Modification of Dynamically-Determined Object Attributes. Drupal core permits modification of object attributes that should not be writable by external input. When attacker-controlled data reaches a code path that dynamically assigns properties to PHP objects, the attacker can overwrite internal state and influence subsequent application logic. This pattern is commonly referred to as object injection.

Exploitation requires network access and high privileges, which limits the population of attackers but does not eliminate insider or compromised-account risk. The attack does not require user interaction, and the scope remains unchanged. Successful exploitation impacts confidentiality, integrity, and availability of the affected Drupal site.

Root Cause

The root cause is insufficient validation of input keys and values used to populate object properties during deserialization or attribute assignment in Drupal core. The framework does not enforce an allowlist of writable properties for the affected code paths, allowing attacker-supplied input to mutate object state in ways the developer did not intend.

Attack Vector

The attack is delivered over the network against the Drupal application layer. An attacker who already holds a privileged account, such as a content administrator or site builder, submits crafted input that reaches the vulnerable attribute-assignment logic. The injected attributes alter object behavior on subsequent operations, enabling data manipulation or further chained exploitation within the PHP runtime.

No public proof-of-concept is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Drupal Security Advisory for vendor-supplied technical details.

Detection Methods for CVE-2026-6366

Indicators of Compromise

• Unexpected serialized PHP payloads or object markers (O:, s:) in HTTP request bodies, query strings, or form parameters submitted to authenticated endpoints.
• Modifications to Drupal configuration, content entities, or user roles that do not correlate with legitimate administrative activity in audit logs.
• Anomalous PHP errors or warnings referencing unexpected property assignments or magic method invocations in Drupal logs.

Detection Strategies

• Inspect web application logs for privileged users submitting payloads to administrative routes containing serialized data structures or unusual attribute names.
• Correlate authenticated session activity with database writes to detect attribute mutations inconsistent with normal editorial workflows.
• Apply web application firewall rules to flag requests carrying PHP serialization patterns to Drupal endpoints.

Monitoring Recommendations

• Enable Drupal's dblog or syslog module and forward events to a centralized logging platform for retention and analysis.
• Monitor file integrity on the Drupal codebase, sites/default/files, and the settings.php configuration file for unauthorized changes.
• Alert on creation of new administrative users, role changes, or modifications to the system.site configuration outside change windows.

How to Mitigate CVE-2026-6366

Immediate Actions Required

• Upgrade Drupal core to 10.5.9, 10.6.7, 11.2.11, or 11.3.7 or later, depending on the branch in use.
• Audit accounts with elevated permissions and revoke unnecessary administrative access until patching is complete.
• Rotate credentials for privileged users and review recent administrative activity for signs of misuse.

Patch Information

The Drupal Security Team published advisory SA-CORE-2026-002 with patched releases across all supported branches. See the Drupal Security Advisory for the official fixed versions and release notes. Sites running unsupported Drupal 8.x or 9.x versions should migrate to a supported branch before applying fixes.

Workarounds

• Restrict access to administrative paths using network-level controls or reverse proxy rules until patches are applied.
• Reduce the number of accounts with permissions that map to the high-privilege requirement in the CVSS vector.
• Place a web application firewall in front of the Drupal site and block requests containing PHP serialization signatures on non-API endpoints.

# Example: upgrade Drupal core via Composer to a fixed release
composer require 'drupal/core-recommended:^10.5.9' \
  'drupal/core-composer-scaffold:^10.5.9' \
  'drupal/core-project-message:^10.5.9' --update-with-all-dependencies

# Apply database updates after deploying the new code
vendor/bin/drush updatedb -y
vendor/bin/drush cache:rebuild