Drupal is warning administrators that attackers are already attempting to exploit a newly disclosed SQL injection vulnerability affecting the open-source content management system just days after security patches were released.
The flaw, tracked as CVE-2026-9082, impacts Drupal’s database abstraction API, which is designed to sanitize database queries and prevent SQL injection attacks. According to Drupal, the vulnerability can allow unauthenticated attackers to send specially crafted requests that result in arbitrary SQL injection on sites using PostgreSQL databases.
Successful exploitation could lead to information disclosure, privilege escalation, and, in some cases, remote code execution. Drupal warned before releasing patches on May 20 that public exploits could emerge “within hours or days” of disclosure.
That prediction appears to have materialized quickly.
Drupal powers hundreds of thousands of websites worldwide, including government, education, media, and enterprise platforms. While highly critical Drupal vulnerabilities are relatively uncommon, security researchers warn that the combination of public disclosure and rapid exploitation activity significantly increases the risk for unpatched systems.
The company updated its advisory this week to note that exploitation attempts are now being detected in the wild. The project also increased the vulnerability’s internal risk score from 20 to 23 out of 25 to reflect the active attack activity.
Security firm Imperva reported observing more than 15,000 exploitation attempts targeting nearly 6,000 websites across 65 countries. According to the company, almost half of the attacks targeted gaming and financial services organizations.
Researchers said most of the observed activity currently appears focused on reconnaissance and validation, with attackers scanning for exposed Drupal sites configured with PostgreSQL databases. However, they warned that successful exploitation could rapidly escalate into data theft or server compromise.
The vulnerability only affects Drupal sites running PostgreSQL and does not impact installations using MySQL or MariaDB. Drupal estimates that fewer than 5% of deployments are affected.
The US Cybersecurity and Infrastructure Security Agency (CISA) has since added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. Federal agencies have been ordered to secure affected systems by May 27.
Patches are available for supported Drupal versions, including Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, and 10.5.10. Organizations running affected versions are advised to update immediately.
Leave a Reply