Drupal Core SQL Injection Vulnerability (CVE-2026-9082)
Severity Assessment
- Exploitability: 8/10 - Drupal rated the issue highly critical and confirmed exploitation attempts in the wild.
- Impact: 9/10 - Drupal reports arbitrary SQL injection that can lead to information disclosure and, in some cases, privilege escalation or remote code execution.
- Weaponization Risk: 8/10 - Public advisory and patch availability, plus KEV inclusion, indicate practical attacker use.
- Patch Urgency: 10/10 - Multiple supported branches received security updates, and KEV listing indicates urgent remediation expectations.
- Detection Coverage: 5/10 - Public sources provide affected-version ranges and conditions but limited universal IOC material.
NVD describes CVE-2026-9082 as a SQL injection flaw in Drupal’s database abstraction API with impact concentrated on sites using PostgreSQL.
Summary
CVE-2026-9082 is a Drupal core SQL injection vulnerability tracked in SA-CORE-2026-004. Drupal states that specially crafted requests can trigger arbitrary SQL injection through a flaw in query sanitization logic for affected PostgreSQL-backed sites.
According to Drupal, the issue can result in information disclosure and, depending on conditions, privilege escalation, remote code execution, or related impacts. Drupal published fixed releases across supported branches and best-effort patches for some unsupported versions.
Exploit Chain
Stage 1: Reach vulnerable Drupal endpoint
An attacker targets internet-accessible Drupal deployments running affected versions.
Stage 2: Send crafted request
The attacker submits specially crafted input that exercises vulnerable SQL-handling behavior.
Stage 3: SQL injection execution
The payload causes arbitrary SQL injection in affected PostgreSQL-backed deployments.
Stage 4: Post-exploitation actions
Depending on site configuration and database privileges, outcomes can include data disclosure, privilege escalation, or further compromise activity.
Detection Guidance
Exposure and patch status:
- Identify Drupal installations in affected version ranges from
SA-CORE-2026-004. - Prioritize PostgreSQL-backed Drupal deployments for immediate patch validation.
Application and database monitoring:
- Monitor for anomalous query patterns and unexpected request payloads to Drupal endpoints.
- Review authentication, administrative actions, and database privilege changes around suspected exploitation windows.
Hardening and response:
- Apply Drupal security updates for supported branches.
- For unsupported branches using best-effort patches, validate patch application and consider accelerated migration to supported versions.
Indicators of Compromise
The cited public sources do not provide a universal IOC set (for example, standardized malicious IPs or file hashes) specific to CVE-2026-9082 exploitation.
Potential investigation leads include:
- Suspicious request patterns to Drupal paths followed by unusual database errors or behavior.
- Unexpected data-access patterns or privilege changes in PostgreSQL logs associated with Drupal service accounts.
- Signs of unauthorized administrative operations after suspicious application requests.
Disclosure Timeline
| Date | Event |
|---|---|
| 2026-05-20 | Drupal published SA-CORE-2026-004 for CVE-2026-9082 and released patched versions for supported branches. |
| 2026-05-22 | Drupal updated advisory notes indicating exploit attempts were being detected in the wild. |
| 2026-05-22 | CISA KEV catalog included CVE-2026-9082 as known exploited. |
Sources & References
- Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-05-22
- National Vulnerability Database: CVE-2026-9082 — National Vulnerability Database, 2026-05-22
- Drupal: SA-CORE-2026-004 Highly critical SQL injection advisory — Drupal, 2026-05-20