A critical SQL injection flaw in Drupal Core is being actively exploited, allowing unauthenticated attackers to compromise PostgreSQL‑based sites. The Drupal Security Team advisory urges immediate updates as the activity coincides with a noticeable increase in pure extortion campaigns where threat actors leak or threaten to leak stolen data instead of deploying ransomware.
The vulnerability tracked as CVE-2026-9082 carries a CVSS v3 score of 9.8 and resides in Drupal’s database abstraction API. It can be triggered over the network without authentication by sending specially crafted requests that manipulate SQL queries. Successful exploitation enables arbitrary SQL execution leading to data disclosure privilege escalation and potential remote code execution as noted in the CISA added the flaw to its Known Exploited Vulnerabilities catalogue.
Drupal released patched versions on 20 May 2026 including 11.3.10 11.2.12 for the 11.x branch and 10.6.9 10.5.10 for the 10.x line. Drupal 7 is not affected and only sites using PostgreSQL are at risk which represents roughly five percent of all Drupal installations but still amounts to thousands of hosts globally. Tenable analysis highlights that the flaw stems from insufficient sanitisation of user input before it reaches the database layer.
Within two days of the public advisory over fifteen thousand exploitation attempts were recorded targeting nearly six thousand unique domains across sixty five countries. The majority of observed hits focused on gaming and financial services providers. Security Affairs reporting notes that attackers are increasingly using stolen information for extortion rather than encrypting systems for ransom.
Administrators should prioritize applying the relevant patch to all Drupal instances running PostgreSQL. If immediate updating is not possible they should restrict database network access to trusted addresses and deploy web application firewall rules that block common SQL injection patterns. Reviewing authentication logs for unexpected query patterns and enabling detailed database audit trails can help detect ongoing abuse as outlined in the Akamai mitigation guidance.
Organisations are advised to maintain recent offline backups of critical data and to review privilege segregation so that a compromised database account cannot leverage excessive rights. Running regular vulnerability scans and subscribing to Drupal security announcements will help stay ahead of similar issues. In the event of an extortion demand contacting law enforcement and preserving evidence is recommended before considering any payment as discussed in the Pantheon release notes.