Skip to content

Drupal: Critical SQL Injection Vulnerability Now Being Exploited in Attacks

Bottom line: The critical SQL injection vulnerability CVE-2026-9082 in Drupal is being actively exploited. It affects numerous Drupal versions and enables remote code execution without authentication. Administrators should update immediately.

The content management system Drupal is warning of active exploitation attempts of an “extremely critical” SQL injection security vulnerability. The vulnerability CVE-2026-9082 affects the database abstraction API and can enable remote code execution and data access without authentication.

Following a security advisory from May 18, Drupal has released an update confirming that attackers are now attempting to exploit the “extremely critical” SQL injection vulnerability. The vulnerability CVE-2026-9082 was discovered by Michael Maturi, a researcher at Google/Mandiant, and affects the content management system’s database abstraction API. It allows specially crafted requests to perform arbitrary SQL injection attacks on sites using PostgreSQL.

The vulnerability allows attackers to inject malicious SQL commands, thereby accessing, manipulating, or deleting database data. Particularly problematic is that no authentication is required. This could lead to remote code execution, privilege escalation, and information disclosure.

Drupal confirmed on May 22 in an updated advisory that exploitation attempts have been observed in the wild. The project internally rates the vulnerability with a severity rating of 23 out of 25 points. The National Institute of Standards and Technology (NIST), however, rates it with a CVSS v3 score of 6.5 as “medium.”

The vulnerability affects numerous Drupal versions: Drupal 8.9.x, 10.4.x before 10.4.10, 10.5.x before 10.5.10, 10.6.x before 10.6.9, 11.0.x/11.1.x before 11.1.10, 11.2.x before 11.2.12, and 11.3.x before 11.3.10.

Website operators and administrators should immediately update to the latest available version of their branch. Users not using PostgreSQL are also advised to update, as the security updates also include fixes for dependent components such as Symfony and Twig. Drupal 8 and 9 are no longer supported but will receive patches on a best-effort basis. However, their use is inherently risky due to additional known security vulnerabilities.

Share on: