Drupal Critical SQL Injection Vulnerability CVE-2026-9082 Actively Exploited
Impact Assessment Rationale
MEDIUM: Second-pass historical recalibration. This cyber advisory or vulnerability item is relevant to Cyber and technology-dependent Property/Casualty books, but it does not evidence confirmed insured loss, claims activity, ransomware/business interruption, critical infrastructure outage, or quantified market impact sufficient for HIGH.
View assessment methodology →Loading map...
Summary
A critical SQL injection vulnerability (CVE-2026-9082) in Drupal's database abstraction API is being actively exploited in the wild. The flaw affects sites using PostgreSQL and allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution, privilege escalation, and data theft. Drupal rated the vulnerability 23/25 (highly critical) and confirmed exploitation attempts on May 22, 2026, following initial disclosure on May 18. Administrators are urged to upgrade immediately to patched versions.
This summary is AI-generated from linked source reports and may change as more information becomes available. See our correction policy for how to report errors.
Structured Intelligence
known
- CVE-2026-9082 affects Drupal's database abstraction API on PostgreSQL-backed sites
- Exploitation attempts confirmed in the wild as of May 22, 2026
- Vulnerability is exploitable without authentication
- Affected versions include Drupal 8.9.x, 10.4.x through 10.6.x, and 11.0.x through 11.3.x
- Discovered by Google/Mandiant researcher Michael Maturi
- Drupal rated severity 23/25; NIST assigned CVSS v3 score of 6.5 (medium)
reported
- Exploitation may lead to remote code execution, privilege escalation, and information disclosure
- Drupal 8 and 9 are end-of-life but patches provided on best-effort basis
uncertain
- Scale and identity of threat actors conducting exploitation attempts unknown
- Number of compromised sites or data exfiltrated not yet disclosed
- Whether exploitation has progressed beyond scanning/probing to full compromise is unconfirmed
Key Entities
Sources
Trade Media
- BleepingComputer22 May 2026, 14:38
Timeline
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
Lifecycle changed
active → monitoring
Lifecycle changed
signal → active
Status changed to active
remediation: existing authoritative signal
Initial Detection
A critical SQL injection vulnerability (CVE-2026-9082) in Drupal's database abstraction API is being actively exploited in the wild. The flaw affects sites using PostgreSQL and allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution, privilege escalation, and data theft. Drupal rated the vulnerability 23/25 (highly critical) and confirmed exploitation attempts on May 22, 2026, following initial disclosure on May 18. Administrators are urged to upgrade immediately to patched versions.
The risk score has been updated to reflect that exploit attempts are now being detected in the wild. The flaw is exploitable without authentication and could result in remote code execution, privilege escalation, and information disclosure.
Source: BleepingComputer (Trade Media) · View source