Drupal Core CVE-2026-9082 SQL Injection Is Being Exploited

by Emma Davis
May 22, 2026

Drupal Core CVE-2026-9082 is a PostgreSQL-only SQL injection flaw now listed in CISA KEV. Patch affected Drupal branches and check logs for exploit attempts.

Drupal Core CVE-2026-9082 is now an active patch priority after CISA added the SQL injection flaw to its Known Exploited Vulnerabilities catalog on May 22, 2026. The agency set a remediation due date of May 27, 2026, a short window that matches Drupal’s own update note that exploit attempts are being detected in the wild.[2][1]

Cartoon showing a Drupal Core castle with a PostgreSQL pipe being patched for CVE-2026-9082
The front gate looked calm; the database pipe needed the patch.

The vulnerability sits in Drupal Core’s database abstraction layer. Drupal says crafted requests can trigger arbitrary SQL injection on sites using PostgreSQL databases, which can lead to information disclosure and, in some cases, privilege escalation, remote code execution, or other follow-on attacks.[1] The detail that should make site owners move quickly is that the issue can be exploited by anonymous users, so a vulnerable public site does not need an attacker to start with a Drupal account.

The CVE record lists affected Drupal Core branches from 8.9.0 through several current lines: before 10.4.10, before 10.5.10, before 10.6.9, before 11.1.10, before 11.2.12, and before 11.3.10.[3] NVD currently scores the flaw as CVSS 6.5, but Drupal rates SA-CORE-2026-004 as Highly critical, with exploitability reflected in the advisory risk score.[4][1] The difference is a good reminder that base CVSS does not always capture CMS exposure, anonymous reachability, or the operational cost of a compromised database-backed site.

What Drupal site owners should patch and check

If you run Drupal with PostgreSQL, patch first. Drupal 11.3.x should move to 11.3.10, 11.2.x to 11.2.12, 11.1.x or 11.0.x to 11.1.10, 10.6.x to 10.6.9, 10.5.x to 10.5.10, and 10.4.x or earlier to 10.4.10.[1] Drupal 8 and 9 are end-of-life, but the advisory points administrators to best-effort patches for 8.9 and 9.5. Those old branches should still be treated as high risk because other unsupported vulnerabilities remain.

Drupal notes that the SQL injection path itself only affects PostgreSQL-backed sites, but the same security releases also include coordinated Symfony and Twig updates that apply more broadly.[1] In other words, MySQL or SQLite sites should not ignore the release just because this specific injection path is PostgreSQL-only. Review who can update Twig templates, Views, and contributed modules, especially on larger editorial or agency-run sites where multiple roles can change rendering behavior.

For triage, confirm the database backend, Drupal branch, exact core version, exposed JSON/API routes, and whether anonymous traffic can reach login or content API endpoints. Searchlight Cyber’s technical analysis describes anonymous paths that can expose PostgreSQL errors such as SQLSTATE[HY093] or SQLSTATE[22012] on vulnerable installs.[5] Defenders do not need to reproduce those requests to act. The useful move is to review web logs for unusual JSON login requests, JSON:API filter parameters, repeated HTTP 500 responses, suspicious database errors, newly changed admin accounts, unexpected content changes, and file writes after suspicious requests.

Because exploited CMS flaws often become a doorway into broader web compromise, treat confirmed probing as more than noise. Rotate privileged Drupal credentials, check recently added users and roles, inspect contributed modules and themes, and verify that backups are clean. The pattern is similar to other public web-surface issues covered on howtofix.guide, including earlier Drupal site-hijack risk, MetInfo CMS unauthenticated RCE exploitation, and attacks against Elementor Pro on WordPress sites: patching matters, but post-patch log review is what tells you whether the site was already touched.

References

  1. Drupal Security Team. “Drupal core – Highly critical – SQL injection – SA-CORE-2026-004.” May 20, 2026; updated May 22, 2026. https://www.drupal.org/sa-core-2026-004
  2. CISA. “Known Exploited Vulnerabilities Catalog: CVE-2026-9082.” https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  3. CVE Program. “CVE-2026-9082 record.” https://cveawg.mitre.org/api/cve/CVE-2026-9082
  4. NVD. “CVE-2026-9082.” https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-9082
  5. Searchlight Cyber. “Keys to the Kingdom: Anonymous SQL Injection in Drupal Core (CVE-2026-9082).” https://slcyber.io/research-center/keys-to-the-kingdom-anonymous-sql-injection-in-drupal-core-cve-2026-9082/

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment