Drupal core - Critical - PHP object injection - SA-CORE-2026-005

Drupal core - Critical - PHP object injection - SA-CORE-2026-005

https://www.drupal.org/security/rss.xml / Wed, 06/17/2026 - 20:45
Project: 
Drupal core
Date: 
2026-June-05
Security risk: 
Critical 18 ∕ 25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability: 
PHP object injection
Affected versions: 
<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*
CVE IDs: 
CVE-2026-55803
Description: 

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services.

The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.

This vulnerability is mitigated by the fact that in order to be exploitable:

  • A site must use an entity reference field type that stores a serialized property.
  • An attacker must have permission to write to the entity via JSON:API.

No field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules.

JSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access).

DrupalSteward protection:

This issue is being protected by Drupal Steward. In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not be able to cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are not mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release.

Solution: 

Install the latest version:

Drupal 11

Drupal 10

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 
Fixed By: 
Coordinated By: 

About

Kenya Education Network CERT(KENET-CERT) is a Cybersecurity Emergency Response Team and Co-ordination Center operated by the National Research and Education Network of Kenya. KENET-CERT coordination center promotes awareness on cybersecurity incidences as well as coordinates and assists member institutions in responding effectively to cyber security threats and incidences. KENET-CERT works closely with Kenya's National CIRT coordination center (CIRT/CC) as a sector CIRT for the academic institutions. KENET promotes use of ICT in Teaching, Learning and Research in Higher Education Institutions in Kenya. KENET aims to interconnect all the Universities, Tertiary and Research Institutions in Kenya by setting up a cost effective and sustainable private network with high speed access to the global Internet. KENET also facilitates electronic communication among students and faculties in member institutions, share learning and teaching resources by collaboration in Research and Development of Educational content.