All incidents

Drupal Core SQL injection flaw (CVE-2026-9082) exploited in the wild

vulnerabilityclosedMay 21, 2026 — May 24, 2026
Drupal Core SQL injection flaw (CVE-2026-9082) exploited in the wild

DRUPAL has warned that a critical SQL injection flaw in its core is under active attack, with threat actors using CVE‑2026-9082 to compromise PostgreSQL‑based sites without needing any credentials. The vulnerability was disclosed in the security advisory SA‑CORE‑2026-004 and carries a CVSS base score of 9.8. Security Affairs noted that exploitation began within hours of the public alert, affecting sites across the globe. Immediate action is urged for any organisation running a Drupal site that relies on PostgreSQL.

The flaw, tracked as CVE-2026-9082, exists in the database abstraction API that Drupal uses to sanitise queries before they are sent to PostgreSQL. An unauthenticated attacker can send a specially crafted request that modifies the query structure, allowing arbitrary SQL to be executed on the backend database. Successful exploitation can lead to the disclosure of sensitive information, the creation of privileged accounts, or the execution of malicious code on the server. The vulnerability affects all Drupal core releases that are configured to work with PostgreSQL, regardless of the underlying operating system.

Telemetry collected by Drupal’s security team shows that more than fifteen thousand exploitation attempts were recorded in the first forty‑eight hours after the advisory was published. Those attempts were directed at nearly six thousand distinct sites spread across sixty‑five countries, with a noticeable concentration in the gaming and financial sectors.

Although only roughly five percent of Drupal deployments use PostgreSQL as their database engine, the absolute number of exposed installations remains large enough to attract broad attention. The exploit does not require any form of authentication, which has contributed to the high volume of observed traffic.

On 22 May 2026 the U.S. Cybersecurity and Infrastructure Security Agency added CVE‑2026-9082 to its Known Exploited Vulnerabilities catalogue, obliging federal agencies to remediate the flaw by 27 May 2026. Security Affairs highlighted that the spike in activity parallels a growing trend of pure extortion attacks, where criminals seek direct payment rather than deploying ransomware. No specific threat‑actor group has been publicly identified in connection with these incidents, but the pattern suggests opportunistic scanning rather than a targeted campaign. The rapid adoption of the flaw by automated scanners highlights the danger of delaying patches on internet‑facing services.

The speed at which attackers pivoted to exploit this vulnerability mirrors the rapid abuse seen in earlier Drupalgeddon episodes, showing that even a niche database configuration can become a high‑value target when a critical flaw is left unmitigated. Researchers point out that the combination of unauthenticated network access and the potential for remote code execution raises the risk profile far above that of typical SQL injection bugs.

While the overall number of Drupal sites running PostgreSQL remains modest, the interconnected nature of the web means that thousands of hosts are still reachable from the public internet. This situation serves as a reminder that patch management must cover all supported components, not just the most commonly used ones.

Administrators should first apply the official patch released for Drupal core versions 9.5.13, 10.1.5 and 10.2.4, or upgrade to the latest minor release that incorporates the fix. After updating, they are advised to review PostgreSQL logs for any anomalous queries that might indicate prior compromise and to reset any database credentials that could have been exposed.

Limiting direct PostgreSQL connectivity to trusted subnets and enabling a web‑application‑firewall rule set that blocks common SQL‑injection patterns can provide an additional layer of defence while the patch is being rolled out. Finally, organisations should verify that all dependent libraries, such as Symfony and Twig, are also up to date, as the same advisory addressed several other issues in those packages.

Intelligence briefing updated Jun 10, 2026

CVE-2026-9082 9.8 KEV
Root sourcewww.drupal.org
Timeline Coverage

Swipe to explore timeline