Drupal core - Critical - PHP object injection - SA-CORE-2026-005
Project: Drupal core Date: 2026-June-17 Security risk: Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability: PHP object injection Affected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.* CVE IDs: CVE-2026-55803 Description: SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection. This vulnerability is mitigated by the fact that in order to be exploitable: A site must use an entity reference field type that stores a serialized property. An attacker must have permission to write to the entity via JSON:API. No field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules. JSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access). Drupal Steward protection: This issue is being protected by Drupal Steward . In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are not mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release. Solution: Install the latest version: Drupal 11 If you use Drupal 11.3.x, update to Drupal 11.3.12 . If you use Drupal 11.2.x, update to Drupal 11.2.14 . Drupal 10 If you use
CSIRTS triage
- What
- PHP object injection vulnerability due to insufficient protection for serialized data.
- Who is affected
- Users of affected Drupal core versions.
- Urgency
- Critical remediation is needed due to the severity of the vulnerability.
- Action
- Update to the latest version of Drupal or the specified versions.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Drupal core
Get an email when a new Drupal core advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.drupal.org/sa-core-2026-005
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55803 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
Recent advisories for Drupal core -
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-55808: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerabi…nvd · 2026-07-10
- unknownCVE-2026-55807: Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal core allows Server Side Requ…nvd · 2026-07-10
- unknownCVE-2026-55806: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows…nvd · 2026-07-10
- unknownCVE-2026-55804: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability i…nvd · 2026-07-10
- unknownCVE-2026-55803: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability i…nvd · 2026-07-10
- unknownCVE-2026-10769: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerabi…nvd · 2026-07-10
More from Drupal Security Advisories
- criticalDrupal core - Moderately critical - Improper validation - SA-CORE-2026-0092026-06-17
- criticalDrupal core - Moderately critical - Server-side request forgery - SA-CORE-2026-0082026-06-17
- criticalDrupal core - Less critical - Cache poisoning and open redirect - SA-CORE-2026-0072026-06-17
- criticalDrupal core - Moderately critical - Gadget chain - SA-CORE-2026-0062026-06-17
- criticalDrupal core - Highly critical - SQL injection - SA-CORE-2026-0042026-05-20