The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Drupal Core’s critical SQL injection flaw (CVE‑2026‑9082) to its Known Exploited Vulnerabilities catalog after seeing thousands of probing attacks worldwide. Patches are available for all supported Drupal releases, and experts urge immediate remediation.
Drupal Core SQL Injection Now in CISA’s KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that CVE‑2026‑9082, a critical SQL injection bug in Drupal Core, has been placed in its Known Exploited Vulnerabilities (KEV) list. The agency cited “evidence of active exploitation” in the wild, making this one of the fastest‑moving vulnerabilities of the year.
What the flaw does
Drupal’s database abstraction layer accepts user‑supplied input in certain API calls. A missing sanitisation step allows an attacker to inject arbitrary SQL when a specially crafted request reaches the server. Successful exploitation can:
- Escalate privileges – gain admin‑level rights within the Drupal site.
- Execute remote code – run commands on the underlying host, potentially compromising the entire web server.
The CVSS base score is 6.5, reflecting the combination of ease of exploitation (network‑accessible) and the impact on confidentiality, integrity, and availability.
Timeline
| Date | Event |
|---|---|
| May 21, 2026 | Drupal releases patches for all supported major versions. |
| May 22, 2026 | Drupal advisory updated to note “exploit attempts are now being detected in the wild.” |
| May 23, 2026 | CISA adds CVE‑2026‑9082 to the KEV catalog. |
| May 27, 2026 | Federal Civilian Executive Branch agencies advised to apply patches. |
Real‑world activity
Imperva, now part of Thales, reported over 15,000 attack attempts targeting ≈6,000 sites across 65 countries. Their telemetry shows:
- Gaming and financial services sites account for roughly half of the observed traffic.
- Most requests appear to be probing – attackers are checking whether a Drupal instance runs on PostgreSQL and is vulnerable.
- The pattern suggests a two‑stage approach: first confirm the vulnerable configuration, then move to data extraction or privilege escalation.
“The activity is dominated by reconnaissance, but the underlying vulnerability can quickly transition to full compromise,” said Rohit Sharma, senior security researcher at Imperva.
Which versions need attention
All supported Drupal releases have been patched. The following table lists the exact versions that contain the fix:
| Drupal Major Version | Patched Release |
|---|---|
| 11 | 11.3.10, 11.2.12, 11.1.10 |
| 10 | 10.6.9, 10.5.10, 10.4.10 |
| 9 | 9.5 (manual patch required) |
| 8 | 8.9 (manual patch required) |
If you run a custom or older branch, apply the manual patch from the official security advisory or upgrade to the latest supported release.
Practical steps for site operators
- Verify your version – run
drush statusor checkcore/lib/Drupal.phpfor the version string. - Apply the official patch – download it from the Drupal security advisory page and follow the upgrade instructions.
- Audit database connections – ensure the site does not expose the database port publicly and that only trusted hosts can reach the Drupal front‑end.
- Enable Web Application Firewall (WAF) rules – block typical SQL‑injection payloads targeting the Drupal endpoint (
/user/login,/node/*). - Monitor logs – look for repeated
SELECTstatements with suspicious characters (',--,/*) in the access logs. - Consider a temporary block – if you cannot patch immediately, restrict access to the site via IP allow‑list or a maintenance mode until the fix is applied.
Why this matters for the broader ecosystem
Drupal powers a large share of government portals, educational sites, and e‑commerce platforms. An active exploit chain that starts with a simple SQL injection can give threat actors a foothold to move laterally into other services hosted on the same server. The rapid addition of this bug to CISA’s KEV list underscores the agency’s push to surface threats that have already shown real‑world use.
Looking ahead
Security researchers expect the probing phase to give way to more targeted attacks within the next few weeks, especially against high‑value financial and gaming sites. Organizations that have not yet patched should treat this as a priority, not a low‑severity advisory.
Stay informed on emerging threats and best‑practice mitigations by following our security briefings on Twitter and LinkedIn.
Comments
Please log in or register to join the discussion