What's new since our earlier Drupal coverage: This post covers a separate and newly identified vulnerability — CVE-2026-9082 — a SQL injection flaw distinct from the NGINX-related Drupal emergency patch we covered on May 20. This flaw has now been added to CISA's Known Exploited Vulnerabilities catalog with a federal patching deadline, and security researchers have already tracked over 15,000 attack attempts in the wild.
If your business or organization runs a website built on Drupal, you need to stop what you're doing and read this.
A brand-new, highly critical security vulnerability in Drupal Core — tracked as CVE-2026-9082 — is being actively exploited by attackers right now, less than 48 hours after a patch was released. This isn't a theoretical risk or something that might happen down the road. The attacks are happening today, at scale, and the window to get ahead of them is closing fast.
What Is CVE-2026-9082?
Security Affairs reports that Drupal issued a highly critical security patch on May 20 for CVE-2026-9082, a SQL injection vulnerability that sits in the API designed to sanitize database queries — ironically, the very system meant to prevent this class of attack. A flaw in that API means an unauthenticated attacker (meaning no login required) can send specially crafted HTTP requests and inject arbitrary SQL commands directly into sites running PostgreSQL as their database backend.
Drupal's own advisory describes the potential consequences plainly: "This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks. This vulnerability can be exploited by anonymous users."
That last phrase is the most alarming part. No account. No credentials. Just a crafted web request, and an attacker may be inside your database.
CISA Has Officially Flagged This
This isn't just a software vendor advisory. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog, which is the agency's official list of security flaws confirmed to be exploited in the real world.
The Hacker News reports that Federal Civilian Executive Branch agencies have been directed to apply fixes by May 27, 2026. While that federal deadline technically applies to government agencies, it sends a clear signal: this vulnerability is serious enough that the government is treating it as urgent. Small businesses and nonprofits running Drupal sites should treat it the same way.
The Attack Data Is Alarming
Here's where the numbers get attention-grabbing. Thales-owned security firm Imperva began tracking exploitation attempts almost immediately after the patch dropped. As Security Affairs details, Imperva observed over 15,000 exploitation attempts targeting nearly 6,000 individual sites across 65 countries in just the first two days after disclosure.
The top targeted country? The United States, at 61.8% of all attacks, followed by Singapore at 6.6% and Australia at 6.3%.
Almost half of those attacks — collectively around 50% — have been aimed at gaming and financial services websites. Imperva notes that "the nature of the vulnerability means successful exploitation could quickly move from probing to data extraction or privilege escalation."
That distinction matters. What's happening right now, at massive scale, is mostly reconnaissance — attackers scanning and probing to identify which Drupal sites are running vulnerable PostgreSQL configurations. They're building a target list. The actual data theft and exploitation phase typically follows once that map is complete.
Are You Affected? Here's How to Check
Not every Drupal site is vulnerable. The flaw specifically impacts sites running PostgreSQL as the database backend. Sites running MySQL or MariaDB are not affected by this particular vulnerability.
Drupal estimates that PostgreSQL powers under 5% of all Drupal installations — but given that Drupal powers hundreds of thousands of websites globally across government, higher education, media, and enterprise environments, Security Affairs notes that still translates to thousands of potentially vulnerable sites.
To check if you're affected:
- Identify your database backend. If you built the site yourself or with a developer, check your
settings.phpfile (in Drupal'ssites/default/directory) for the$databasesconfiguration block. If you seepgsqllisted as the driver, you're running PostgreSQL and this flaw applies to you. - Check your Drupal version. Patches are available for Drupal versions 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. Drupal 9.5 and 8.9 require manual patching.
- Review your server logs. If you're seeing unusual database query patterns, unexpected errors in your Drupal logs, or failed authentication attempts that weren't there before, treat those as potentially hostile activity.
- If you're unsure, assume PostgreSQL. Don't rely on memory — check the config file directly.
What to Do Right Now
If you're running Drupal on PostgreSQL: Apply the patch immediately. There is no reason to wait. Drupal's security team released fixes for all supported versions, and they're available now. If you're on an older version like 8.9 or 9.5, manual patching instructions are available through Drupal's official security advisory.
If you're running Drupal on MySQL or MariaDB: You're not exposed to this specific flaw, but it's still worth verifying your database configuration rather than assuming.
If you manage Drupal infrastructure for others — a hosting client, a nonprofit, a small business — check their configurations today. Drupal is widely used in exactly the kinds of organizations that don't have dedicated IT staff watching their logs.
A Note on Drupal's History With Critical Flaws
Security Affairs puts this vulnerability in useful historical context: the last time Drupal saw active exploitation of a highly critical flaw was back in 2019, when a remote code execution bug was hit within days of the patch going live. Before that, the flaws known as Drupalgeddon and Drupalgeddon2 became notorious for being weaponized at scale to compromise tens of thousands of sites. Since 2019, highly critical vulnerabilities in Drupal have been rare — but when they do appear, history shows attackers move fast.
CVE-2026-9082 is following exactly that pattern. Drupal itself warned before the patch released that "exploits could surface within hours or days." They were right.
The Bottom Line
The reconnaissance phase of a campaign like this has one purpose: building a list of vulnerable targets. Once attackers have that list, the active exploitation — credential theft, data extraction, privilege escalation — begins. The difference between being on that list and not being on it right now is whether you've patched.
If your business website runs on Drupal and you're not sure whether you're using PostgreSQL, or you need help verifying your configuration or applying the update, we're happy to take a look. Keeping local Yuba City businesses' websites secure is exactly the kind of thing our business IT services are designed for.
The window here is narrow. Patch first, then verify everything else.
