Drupal CVE-2026-9082: Critical SQL Injection Now Exploited

Drupal CVE-2026-9082: Active Exploitation Confirmed

Drupal has confirmed that attackers are actively exploiting a critical SQL injection vulnerability in its core database abstraction API. The flaw, tracked as CVE-2026-9082, was first disclosed on May 18, 2026, with Drupal warning administrators that exploitation could begin "within hours or days." That window closed fast. By May 22, the project updated its advisory to note that exploit attempts are already being detected in the wild.

The vulnerability was discovered by Google/Mandiant researcher Michael Maturi. Drupal rates it as "highly critical" with an internal score of 23 out of 25. NIST currently pegs it at a CVSS v3 score of 6.5 (medium), but the gap between those scores reflects a common tension between theoretical impact and real-world exploitability. With active exploitation confirmed, the practical severity is clear regardless of what any scoring system says.

How This SQL Injection Vulnerability Works

The flaw lives in Drupal's database abstraction layer. Specially crafted HTTP requests can manipulate SQL queries on sites running PostgreSQL backends, allowing an attacker to inject arbitrary SQL commands without needing any authentication credentials.

Unauthenticated SQL injection is about as bad as it gets. There is no login wall, no session token, nothing slowing an attacker down. A successful exploit can lead to remote code execution, privilege escalation, and full information disclosure. If your Drupal site sits on PostgreSQL and hasn't been patched, assume it's a target right now.

The attack surface is the database query layer itself, not a plugin or theme. That means custom modules built on Drupal's API can inherit this exposure without any obvious indication at the code level.

Affected Versions and Patch Availability

CVE-2026-9082 affects a wide range of Drupal releases:

• Drupal 8.9.x
• Drupal 10.4.x before 10.4.10
• Drupal 10.5.x before 10.5.10
• Drupal 10.6.x before 10.6.9
• Drupal 11.0.x and 11.1.x before 11.1.10
• Drupal 11.2.x before 11.2.12
• Drupal 11.3.x before 11.3.10

Drupal 8 and 9 are both end-of-life. Patches for those branches are provided on a best-effort basis only. Running EoL software means stacking unpatched known vulnerabilities on top of each other. If your infrastructure still runs Drupal 8 or 9, migrating to a supported version needs to be the priority.

How to Protect Your Drupal Site

Patching is the only real fix here. Update to the latest available release for your branch immediately. The updated releases also bundle fixes for upstream dependencies including Symfony and Twig, so the patch payload covers more than just this one CVE.

Even if your site runs MySQL or MariaDB instead of PostgreSQL, update anyway. The upstream dependency fixes apply regardless of your database engine, and staying current reduces your exposure to follow-on vulnerabilities.

Beyond patching, a few additional steps are worth taking right now. Review your web application firewall rules for SQL injection patterns. Check your server logs for unusual database errors or unexpected query patterns since the early indicators of exploitation often show up there first. Run a fresh scan of your application endpoints to confirm no other injection vectors are exposed. You can do that directly at VibeWShield's scanner.

For broader coverage of Drupal and CMS-related vulnerabilities, see our CMS security vulnerability roundup.

FAQ

Is this vulnerability exploitable on MySQL or MariaDB, not just PostgreSQL? The SQL injection flaw specifically targets Drupal sites running PostgreSQL. Sites on MySQL or MariaDB are not directly vulnerable to CVE-2026-9082, but Drupal still recommends updating all installations because the patched releases include fixes for Symfony and Twig dependencies.

Do I need authentication to exploit CVE-2026-9082? No. The vulnerability is exploitable without any credentials. An unauthenticated attacker can send a crafted request and trigger SQL injection directly, which is why Drupal's internal severity score is so high despite the moderate CVSS rating.

What should I check if I think my site was already compromised? Look for unexpected admin accounts, modified PHP files, unusual outbound connections, and database queries in your logs that contain SQL metacharacters. A post-exploit scan using an automated DAST tool can also surface any webshells or injected endpoints that an attacker may have left behind.

Your Drupal installation may already be a target. Run a full vulnerability scan at VibeWShield to identify exposed endpoints before attackers do.