Drupal SQL Injection Bug (CVE-2026-9082) Hits CISA's Must-Patch List With a May 27 Deadline

What the bug actually does

CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core that can be exploited by unauthenticated users against Drupal sites using PostgreSQL. The vulnerability affects Drupal's database abstraction API and can allow specially crafted requests to trigger arbitrary SQL injection, potentially leading to information disclosure, privilege escalation, remote code execution, or additional attacks.

In plain English: the part of Drupal that's supposed to stop hackers from injecting database commands has a hole in it. An attacker doesn't need a username, a password, or even a low-level account on your site. Anonymous reachability means attackers do not need a stolen editor account before taking a shot.

The one piece of good news: Drupal powers hundreds of thousands of websites, but CVE-2026-9082 only affects sites that use PostgreSQL. Drupal developers believe less than 5% of websites are impacted. Most small-business Drupal sites use MySQL or MariaDB and are not exposed to the SQL injection path. But you need your IT provider to confirm that — not assume it.

Attackers moved within 48 hours

Drupal published the patch on May 20. Imperva researchers reported observing over 15,000 exploitation attempts targeting nearly 6,000 sites across 65 countries in the first two days after disclosure. Almost half of those attacks were aimed at gaming and financial services websites, sectors where both credential theft and financial data access have immediate monetization paths.

On May 22, CISA added CVE-2026-9082, a Drupal Core SQL injection vulnerability affecting PostgreSQL-backed sites, to its Known Exploited Vulnerabilities catalog after evidence showed active exploitation in the wild. The move turns what was already an urgent Drupal security release into a federal remediation mandate. The KEV deadline for federal agencies is May 27 — and CISA strongly recommends every organization treat KEV listings as their own deadline.

This is the first highly critical Drupal vulnerability exploited in the wild since 2019. Drupal admins old enough to remember Drupalgeddon know how this movie ends if you don't patch fast.

Why this matters to a small business

A compromised website isn't just a defacement problem. An unauthenticated attacker exploited a SQL injection vulnerability in Drupal Core's database abstraction API, leading to unauthorized access and potential remote code execution. The attacker escalated privileges by leveraging the SQL injection to manipulate database entries, granting administrative access. With elevated privileges, the attacker moved laterally within the network, accessing other systems and databases. The attacker established a command and control channel to maintain persistent access and control over the compromised systems. Sensitive data was exfiltrated from the compromised databases to external servers controlled by the attacker.

For a small business, that translates to: stolen customer records, hijacked contact forms used to phish your clients, the site quietly turned into a malware host, and — if your web server shares credentials or network paths with anything else — a foothold into your back office.

Website security sits inside the same patch, backup, and monitoring discipline as the rest of your IT, which is why we treat it as part of York Computer's managed IT services rather than a separate problem to think about once a year.

What your IT provider should be doing this week

If you have a managed IT provider — or an MSP that handles your website — they should already be doing four things:

1. **Inventory.** Confirm whether your site runs Drupal, which version, and which database backend. The hardest part of responding to CVE-2026-9082 may not be applying the update. It may be finding every place where the update needs to be applied. Marketing microsites, old landing pages, and forgotten staging environments are exactly what attackers scan for.

2. **Patch.** Organizations running Drupal should upgrade immediately to one of the patched versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10.

3. **Hunt for signs of compromise.** Patching doesn't undo a breach that already happened. The useful move is to review web logs for unusual JSON login requests, JSON:API filter parameters, repeated HTTP 500 responses, suspicious database errors, newly changed admin accounts, unexpected content changes, and file writes after suspicious requests. Because exploited CMS flaws often become a doorway into broader web compromise, treat confirmed probing as more than noise. Rotate privileged Drupal credentials, check recently added users and roles, inspect contributed modules and themes, and verify that backups are clean.

4. **Document.** Write down what you found, what you patched, and when. If a customer or insurer asks later, you want a paper trail.

What York Businesses Should Do

If you're a York County business with a Drupal website — common for local nonprofits, school districts, and professional services firms — get an answer from your web host or IT provider before May 27 confirming your version, database backend, and patch status. If nobody can give you a clear answer, that itself is the problem worth fixing.

Sources

• Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure
• CVE-2026-9082: Drupal's Highly Critical SQL Injection Flaw Is Already Under Active Attack
• Imperva Customers Protected Against CVE-2026-9082 in Drupal Core
• CISA Adds Drupal SQLi CVE-2026-9082 to KEV: PostgreSQL Sites Face Urgent Remediation
• Drupal Core CVE-2026-9082 SQL Injection Is Being Exploited
• Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking