A newly disclosed Drupal Core SQL injection vulnerability is now being actively exploited against internet-facing sites, prompting urgent patching guidance from Drupal, national CERTs, and security researchers. The bug, tracked as CVE-2026-9082, affects Drupal installations using PostgreSQL and could allow unauthenticated attackers to steal or tamper with data and, in some cases, achieve remote code execution.
The flaw resides in Drupal core’s database abstraction API, specifically in the PostgreSQL EntityQuery condition handler, where crafted requests can bypass normal query sanitization and trigger arbitrary SQL injection. Drupal’s security team rates the issue “highly critical” with a risk score of 23 out of 25, warning that exploitation may lead to full data exposure and modification, privilege escalation, or remote code execution, according to its advisory SA-CORE-2026-004. By contrast, the U.S. National Vulnerability Database assigns a lower CVSS v3.1 score of 6.5, categorizing it as a medium-severity flaw.
CVE-2026-9082 impacts a wide range of Drupal versions, including all supported branches from Drupal 8.9 onward. Specifically, the bug affects versions >= 8.9.0 < 10.4.10, >= 10.5.0 < 10.5.10, >= 10.6.0 < 10.6.9, >= 11.0.0 < 11.1.10, >= 11.2.0 < 11.2.12, and >= 11.3.0 < 11.3.10, per the Drupal advisory. Fixed releases are available for all supported branches, and Drupal has also published best-effort patches for end-of-life Drupal 8 and 9 lines due to the bug’s severity. While only PostgreSQL-backed sites are directly vulnerable to SQL injection, the patched releases also ship important updates to third-party dependencies such as Symfony and Twig, so Drupal maintainers recommend all sites upgrade.
Exploitation has quickly followed disclosure. Drupal updated its advisory on May 22 to note that exploit attempts are now being detected in the wild, and researchers report public proof-of-concept code is already available. Belgium’s Centre for Cyber Security warned that an unauthenticated attacker can exploit the flaw simply by sending specially crafted requests to affected Drupal sites running on PostgreSQL, potentially leading to information disclosure, data tampering, or deletion, according to its national advisory. Security outlet BleepingComputer has also confirmed that attackers are already attempting to leverage the bug against vulnerable installations.
The availability of a public exploit and automated detection templates further increases the risk of broad, opportunistic scanning. Contributors to the Nuclei project have proposed a template specifically for CVE-2026-9082, making it easier for both defenders and attackers to identify exposed sites at scale. While there is no public attribution linking the activity to specific threat actors so far, security experts note the parallels with earlier high-impact Drupal SQL injection incidents such as “Drupageddon,” which fueled mass compromise campaigns after disclosure, as documented in a post-incident retrospective.
Site administrators are urged to upgrade immediately to the fixed versions listed in SA-CORE-2026-004. For environments that cannot be patched quickly, Drupal has not provided a robust configuration-based workaround, underscoring that updating core is the primary defense. Operators should also assume exploitation attempts may have occurred, especially on PostgreSQL-backed sites exposed to the internet, and review web server and database logs for anomalous requests, unexpected SQL queries, or suspicious administrative activity. Tightening database privileges, rotating credentials, and conducting targeted compromise assessments on high-value Drupal deployments can help limit potential damage while patching proceeds.
