CVE-2026-9082: A Highly Critical SQL Injection Flaw in Drupal
Drupal has announced that hackers are attempting to exploit a highly critical SQL injection vulnerability, tracked as CVE-2026-9082, which was discovered by Google/Mandiant researcher Michael Maturi. The vulnerability affects Drupal's database abstraction API and allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL.
SQL injection is a flaw in which attackers inject malicious SQL commands into database queries via user input fields or dialogs on websites, resulting in unauthorized access, modification, or deletion of database data. The flaw is exploitable without authentication and could result in remote code execution, privilege escalation, and information disclosure.
Impact and Recommendations
CVE-2026-9082 impacts a broad range of Drupal versions, including Drupal 8.9.x, Drupal 10.4.x before 10.4.10, Drupal 10.5.x before 10.5.10, Drupal 10.6.x before 10.6.9, Drupal 11.0.x / 11.1.x before 11.1.10, and Drupal 11.2.x before 11.2.12, and Drupal 11.3.x before 11.3.10. Website owners and administrators are recommended to upgrade immediately to the latest version available for their branch.
Those not using PostgreSQL are still advised to update, as the latest security updates also include fixes for upstream dependencies, including Symfony and Twig. The advisory underlines that Drupal 8 and 9 are end-of-life (EoL), and that patches are provided on a “best-effort” basis; however, those branches still contain other known vulnerabilities, so continuing their use is inherently risky.
Exploitation Attempts Detected
In an update to the advisory on May 22, Drupal confirmed that exploitation attempts have been detected. “The risk score has been updated to reflect that exploit attempts are now being detected in the wild,” reads the updated advisory. Drupal rated the vulnerability as “highly critical,” assigning it an internal score of 23 out of 25. However, NIST has rated it as “medium severity” based on a CVSS v3 score of 6.5.
The vulnerability is a significant concern for website owners and administrators, as it can be exploited without authentication and could result in severe consequences, including remote code execution, privilege escalation, and information disclosure. It is essential to upgrade to the latest version of Drupal as soon as possible to prevent exploitation attempts.
Conclusion
In conclusion, the CVE-2026-9082 vulnerability is a highly critical SQL injection flaw that affects various Drupal versions using PostgreSQL. The vulnerability is exploitable without authentication and could result in severe consequences. Website owners and administrators are recommended to upgrade immediately to the latest version available for their branch to prevent exploitation attempts.
- Drupal 8.9.x
- Drupal 10.4.x before 10.4.10
- Drupal 10.5.x before 10.5.10
- Drupal 10.6.x before 10.6.9
- Drupal 11.0.x / 11.1.x before 11.1.10
- Drupal 11.2.x before 11.2.12
- Drupal 11.3.x before 11.3.10
By upgrading to the latest version of Drupal, website owners and administrators can prevent exploitation attempts and ensure the security of their websites.
The risk score has been updated to reflect that exploit attempts are now being detected in the wild.
It is essential to take immediate action to prevent exploitation attempts and ensure the security of your website.
Related Articles
- Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
- Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw
- Hackers bypass SonicWall VPN MFA due to incomplete patching
- Drupal critical update to fix bug with high exploitation risk
- Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Source: BleepingComputer