Drupal CVE-2026-9082: Highly Critical SQL Injection Flaw Actively Exploited in the Wild

CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core, tracked as SA-CORE-2026-004, that affects all Drupal installations using PostgreSQL databases. Drupal rated this flaw 23 out of 25 on its own severity scale — one of the highest ratings the project assigns. Active exploitation attempts were confirmed within days of the May 20 advisory, and proof-of-concept exploit code is publicly available. Any Drupal site running PostgreSQL that has not yet applied the patch should treat this as an emergency.

// 01 CVE-2026-9082: Technical Details

SQL injection (SQLi) is a class of vulnerability where user-supplied input is embedded into a database query without proper sanitization or parameterization, allowing an attacker to manipulate the query's logic and extract or modify data the application never intended to expose.

CVE-2026-9082 lives in Drupal core's database abstraction layer — specifically the PostgreSQL entity query handler. The root cause is a subtle mistake in how case-insensitive IN conditions are constructed. A foreach loop uses PHP array keys directly when building SQL placeholder names. If those keys are non-numeric (which is possible when user-supplied input populates an array), the raw array keys are interpolated into the SQL query before parameter binding occurs. This means an attacker can craft input that contains SQL syntax, breaking out of the intended query structure and executing arbitrary SQL against the PostgreSQL database.

The attack does not require authentication. Unauthenticated users can trigger the vulnerability through at least two documented vectors:

• JSON login endpoint: Sending a POST request to /user/login?_format=json with a crafted JSON payload where the username field contains a malicious PHP array structure.
• JSON:API filters: If the JSON:API module is enabled, query parameters such as filter[condition][value][INJECT_HERE]=x can be crafted to inject SQL.

Successful exploitation enables an attacker to perform boolean-blind SQL injection — a technique where the attacker asks the database a series of true/false questions (e.g., "Is the first character of the admin password 'a'?") and reads database contents bit by bit. More severe outcomes are also possible: in certain PostgreSQL configurations, SQL injection can escalate to remote code execution (RCE — the attacker can run arbitrary operating system commands on the server) through features like COPY TO/FROM PROGRAM.

This vulnerability affects only sites using PostgreSQL as the database engine. Drupal installations backed by MySQL, MariaDB, or SQLite are not vulnerable. To check your database driver, look for 'driver' => 'pgsql' in your site's settings.php file.

// 02 Exploitation Status and Threat Landscape

Active exploitation of CVE-2026-9082 has been confirmed. Drupal issued an advance warning on May 18, 2026 — two days before the full advisory — explicitly stating that "exploits might be developed within hours or days" of the patch release. That timeline has been met.

Security firm Searchlight Cyber published two working proof-of-concept exploit examples on May 20, the same day as the advisory, demonstrating unauthenticated SQL injection via both the JSON login endpoint and JSON:API filters. Because the patch diff was also shared publicly, any attacker can reconstruct the exact vulnerable code path without needing Searchlight Cyber's research.

BleepingComputer reported on May 22 that attackers are now actively attempting to exploit the vulnerability in the wild. No specific threat actor group has been attributed to the attacks at this time, but automated scanning and exploitation of high-profile CMS vulnerabilities typically begins within hours of a PoC release.

At the time of writing, CVE-2026-9082 has not been added to the CISA KEV catalog, but given the active exploitation and public PoC, that addition is possible in the near term. The NVD CVSS v3 score is 6.5 (Medium), though Drupal's own 23/25 rating more accurately reflects real-world exploitability given the unauthenticated attack path.

// 03 Who Is Affected

Drupal is one of the most widely deployed open-source CMS platforms, powering government websites, university portals, healthcare systems, and enterprise intranets globally. The vulnerability affects a broad range of versions:

• Drupal 10.4.0 through 10.4.9 → patch to 10.4.10
• Drupal 10.5.0 through 10.5.9 → patch to 10.5.10
• Drupal 10.6.0 through 10.6.8 → patch to 10.6.9
• Drupal 11.1.0 through 11.1.9 → patch to 11.1.10
• Drupal 11.2.0 through 11.2.11 → patch to 11.2.12
• Drupal 11.3.0 through 11.3.9 → patch to 11.3.10
• Drupal 8.9.x and 9.5.x (both end-of-life) are also affected; contact your hosting provider for exceptional security hotfixes.
• Drupal 7 is not affected.

Only sites using PostgreSQL are vulnerable. If your site uses MySQL or MariaDB, you are not at risk from this specific CVE, though updating remains best practice.

// 04 What You Should Do Right Now

• Check your database driver immediately. Open sites/default/settings.php and search for 'driver'. If you see 'pgsql', you are running PostgreSQL and need to act now. If you see 'mysql', you are not vulnerable to CVE-2026-9082.

• Update Drupal core to the patched version. Apply the update matching your current branch (see the version list above). Use Composer (composer update drupal/core --with-dependencies) for sites managed with Composer, or download the patch from drupal.org/project/drupal.

• Apply the patch even if you cannot update immediately. Drupal has released standalone patch files for each affected version at drupal.org/sa-core-2026-004. A temporary patch is better than no patch while you plan a full update.

• Temporarily restrict JSON API and login endpoints. If you cannot patch within the next 24 hours, consider using a web application firewall (WAF) rule or .htaccess rule to block external access to /user/login?_format=json and JSON:API paths (/jsonapi/). This reduces the attack surface without patching, but is not a complete mitigation.

• Review access logs for exploitation attempts. Look for POST requests to /user/login?_format=json with unusual body content, or GET requests to /jsonapi/ paths with deeply nested filter parameters. Automated exploitation tools will generate distinctive traffic patterns.

• Check for signs of compromise. If your site was unpatched and publicly accessible on PostgreSQL since May 20, treat the site as potentially compromised. Look for newly created admin accounts, unexpected file modifications, and outbound connections from the web server.

// 05 Background: Understanding the Risk

SQL injection is one of the oldest and most consistently impactful vulnerability classes in web security, appearing in the OWASP Top 10 every year since its inception. Despite decades of awareness, it continues to affect production systems because even small mistakes in query construction — like using array keys as SQL identifiers — can bypass otherwise robust parameterization.

Drupal's database abstraction layer is specifically designed to prevent SQL injection by using parameterized queries and placeholder binding. The irony of CVE-2026-9082 is that the vulnerability exists not because parameterization was skipped, but because the array keys used to name those placeholders were not sanitized before the query was constructed. This is a subtle but exploitable gap in what was otherwise a well-designed abstraction.

PostgreSQL-specific exploitation is particularly interesting from a technical standpoint. Unlike MySQL, PostgreSQL supports large objects and COPY TO/FROM PROGRAM functionality, which can sometimes be leveraged to execute operating system commands if the database user has sufficient privileges. Drupal's database user typically runs with limited privileges, but misconfigured installations may inadvertently grant elevated access.

This vulnerability follows a pattern of high-severity CMS core flaws that attract rapid exploitation: CVE-2018-7600 (Drupageddon 2) was exploited within hours of advisory release, and CVE-2022-25270 saw scanning begin within days. Administrators of high-value Drupal deployments — government portals, financial applications, healthcare records systems — should treat this with the same urgency as Drupageddon.

The advance warning system Drupal uses (pre-advisory notices that a patch is coming without revealing technical details) exists precisely to give administrators time to prepare. In this case, the two-day window appears to have been insufficient given how quickly PoC code appeared after the patch was published.

// 06 Conclusion

CVE-2026-9082 is a publicly confirmed, actively exploited SQL injection vulnerability in Drupal core that allows unauthenticated attackers to read or modify database contents on PostgreSQL-backed sites. Proof-of-concept code is public, attacks are underway, and the patched versions are available now. Any organization running Drupal on PostgreSQL must apply the update immediately — this is not a scheduled maintenance item.