CISA Adds Drupal Core SQL Injection Vulnerability to KEV After Active Exploitation

CISA has added CVE-2026-9082, a highly critical Drupal Core SQL injection vulnerability, to its Known Exploited Vulnerabilities Catalog after evidence of active exploitation. The issue affects Drupal sites that use PostgreSQL databases and can be triggered by anonymous users through specially crafted requests.

The flaw was disclosed in the Drupal security advisory SA-CORE-2026-004 on May 20, 2026. Drupal later updated the advisory to say exploit attempts were being detected in the wild, raising the urgency for site owners and administrators.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Federal Civilian Executive Branch agencies must apply mitigations, follow vendor guidance, or stop using affected products by May 27, 2026. The NVD record also lists the issue as a Drupal Core SQL Injection Vulnerability and references its inclusion in CISA’s KEV catalog.

What CVE-2026-9082 Does

CVE-2026-9082 sits in Drupal Core’s database abstraction API, which normally helps sanitize database queries before execution. Drupal says the vulnerability allows an attacker to send crafted requests that result in arbitrary SQL injection on sites using PostgreSQL.

The impact can include information disclosure, privilege escalation, remote code execution, or other attacks, depending on the site configuration. Since exploitation does not require a logged-in account, public-facing Drupal sites with affected PostgreSQL setups face the highest risk.

Security teams should also note that the issue has a CWE-89 classification for improper neutralization of special elements used in an SQL command. The NVD entry lists a Drupal.org CNA CVSS 3.1 score of 9.8, placing the bug in the critical range.

Affected Drupal Versions and Fixed Releases

The Drupal advisory also notes that the security releases include Symfony and Twig dependency updates. Those dependency fixes apply more broadly, so administrators should still update even if their site does not use PostgreSQL.

Why PostgreSQL-backed Drupal Sites Are Exposed

The issue is tied to how Drupal handles query structures before they reach the PostgreSQL database layer. Akamai Security Research says the vulnerability involves how PHP array keys are parsed and converted into database placeholder names, rather than a simple unsafe value passed into a query.

That detail matters because many defenders tune SQL injection detection around common payload patterns. A bug that abuses query structure can be harder to spot if monitoring only focuses on obvious malicious strings in parameter values.

Attackers could use the vulnerability to access or alter database content. In some deployments, the chain could move further and create a path toward administrator access or code execution on the underlying environment.

What Site Owners Should Do Now

Drupal administrators should treat this as an emergency patching item, especially if their sites use PostgreSQL and are reachable from the internet. CISA’s listing means the issue has moved from a theoretical patch priority to a confirmed exploited vulnerability.

• Check whether the Drupal site uses PostgreSQL as its database backend.
• Confirm the Drupal Core branch and compare it with the fixed versions listed above.
• Apply the relevant Drupal Core update as soon as possible.
• Review web server, application, and database logs for unusual requests or query errors.
• Look for unexpected administrator accounts, content changes, web shells, or altered files.
• Use a web application firewall as a temporary layer, but do not treat it as a patch replacement.
• Back up the site and database before patching, then validate that the update completed correctly.

Organizations covered by federal requirements should also review the CISA KEV entry and follow the required remediation action. For other organizations, the same deadline still provides a useful risk-based target because active exploitation has already been observed.

Mitigation Is Not a Substitute for Patching

Web application firewalls, virtual patching, and request filtering can reduce exposure while teams test updates. However, they should serve as short-term protection only. The official Drupal releases remain the main fix for CVE-2026-9082.

Akamai’s analysis recommends applying the official Drupal Core updates as part of a critical patch management cycle. That advice matters because SQL injection bugs can quickly move from scanning to data theft or deeper compromise once working exploit paths circulate.

Teams that cannot patch immediately should consider restricting public access to affected Drupal routes, adding temporary WAF rules, and isolating the database where possible. If no mitigation can reduce risk to an acceptable level, administrators should consider taking affected services offline until they can update.

FAQ