CVE-2026-9082 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-05-20

Added to CISA KEV: 2026-05-22 2 DAYS BETWEEN CVE AND KEV

🌐 Internet Exposure (Shodan): 104k+ internet-facing instances →
Query: http.component:"Drupal" View on Shodan ↗
This query identifies Drupal installations but cannot distinguish vulnerable versions (8.9.0-10.4.9, 10.5.0-10.5.9, 10.6.0-10.6.8, 11.0.0-11.1.9, 11.2.0-11.2.11, 11.3.0-11.3.9) or confirm PostgreSQL database usage required for exploitation
Checked: 2026-06-04

🎯 Recommendations:

⚠️ CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity before patching
URGENT: Immediately update all Drupal installations to patched versions (10.4.10+, 10.5.10+, 10.6.9+, 11.1.10+, 11.2.12+, 11.3.10+)
Prioritize Drupal sites using PostgreSQL databases as they are specifically vulnerable
Review web server logs for suspicious SQL injection attempts or unusual database queries
Consider temporarily taking sites offline if immediate patching is not possible
Implement web application firewall (WAF) rules to block SQL injection attempts as temporary mitigation
Audit database contents for unauthorized modifications or data exfiltration
This is a CRITICAL priority patch due to unauthenticated remote exploitation potential

🔍 Web Intelligence (Kagi · 2026-05-22)

CVE-2026-9082 is a highly critical SQL injection (SQLi) vulnerability affecting the Drupal core, specifically within its Database Abstraction API ^[2] ^[6].

Below is the current understanding of the vulnerability based on available information as of May 22, 2026:

Vulnerability Overview

Nature of Flaw: The vulnerability is an improper neutralization of special elements used in an SQL command (CWE-89), caused by a failure to properly sanitize external input before it reaches the database abstraction layer ^[1] ^[4].
Affected Systems: It specifically impacts Drupal installations that utilize a PostgreSQL database backend ^[3]. Deployments using MySQL, MariaDB, or SQLite are not affected by this specific vector ^[3].
Internet-Facing Impact: Because it resides in the Drupal core and can be triggered via web requests, it directly affects internet-facing applications and services running vulnerable versions of Drupal on PostgreSQL ^[2].

Exploitation Details

Attack Vector: The vulnerability allows for unauthenticated exploitation ^[2] ^[3]. Attackers can execute arbitrary SQL commands by sending specially crafted requests, specifically utilizing crafted array keys in filter parameters ^[3] ^[6].
Potential Impact: Successful exploitation can lead to full data disclosure, data modification, denial of service, privilege escalation, and potentially remote code execution ^[4] ^[7].
Active Exploitation & Targeted Attacks: As of May 22, 2026, there is no widely reported evidence of active exploitation in the wild or specific attribution to targeted campaigns in the provided search results.
CISA KEV Status: CVE-2026-9082 is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog ^[5].

Mitigation

Site administrators are advised to cross-reference their deployments with the official Drupal security advisory (SA-CORE-2026-004) and update their core installations to the designated patch releases for all supported branches (Drupal 10 and 11) immediately ^[1].

Sources

CVE-2026-9082: Mitigating a Critical SQL Injection Vulnerability in...
Vulnerability details. At the core of CVE-2026-9082 is a breakdown in how external input is sanitized before reaching the database abstraction layer.Site administrators should immediately cross-reference their current deployments with the official Drupal security advisory (SA-CORE-2026-004) and upda…
CVE-2026-9082 | Tenable®
CVE-2026-9082 is a highly critical SQL injection in Drupal core affecting PostgreSQL sites. Patches available. Unauthenticated exploitation ... ... CVE-2026-9082: Critical Drupal Core SQL Injection Vulnerability | Tenable® Published: 2026-05-21 CVE-2026-9082 is a highly critical SQL injection in Dru…
CVE-2026-9082: CVE-2026-9082: Unauthenticated SQL Injection in Drupal ...
Drupal Core contains a highly critical SQL injection vulnerability (CVE-2026-9082) within its Database Abstraction API. The flaw specifically affects installations using the PostgreSQL database backend, allowing unauthenticated attackers to execute arbitrary SQL commands via crafted array keys in fi…
CVE-2026-9082 - Vulnerability Details - OpenCVE
The vulnerability is an improper neutralization of special elements used in an SQL command, commonly known as SQL injection, in Drupal core. The flaw allows an attacker to inject arbitrary SQL statements into database queries, potentially leading to full data disclosure, data modification, or denial…
Known Exploited Vulnerabilities Catalog | CISA
Microsoft Windows Buffer Overflow Vulnerability: Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote ...