The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently highlighted a critical security issue in Drupal Core, emphasizing its addition to the Known Exploited Vulnerabilities (KEV) catalog. This development follows evidence of the flaw being actively exploited in the wild.
The identified vulnerability, labeled CVE-2026-9082 and rated with a CVSS score of 6.5, involves an SQL injection flaw affecting all currently supported versions of Drupal Core. According to CISA, this flaw could potentially lead to privilege escalation and remote code execution through specifically crafted database requests.
Immediate Patch Release and Exploit Detection
Just days after Drupal released security patches to address this issue, reports of active exploitation have surfaced. The precise methods and objectives of these attacks remain unclear at this moment. Nonetheless, patches have been made available for several Drupal versions, including 11.3.10, 11.2.12, and others. Notably, manual patching is required for versions 9.5 and 8.9.
On May 22, 2026, Drupal updated its security advisory to acknowledge the detection of exploit attempts. Security firm Imperva, owned by Thales, has reported over 15,000 attack attempts targeting nearly 6,000 unique websites across 65 countries.
Targeted Sectors and Attack Patterns
According to Imperva, the primary targets of these attacks include the gaming and financial services sectors, making up approximately 50% of the observed activity. The current attack pattern suggests that malicious actors are mainly engaged in reconnaissance, probing sites for vulnerabilities, particularly those using PostgreSQL-backed configurations of Drupal.
This reconnaissance activity indicates that attackers are seeking out exposed Drupal sites to identify potential entry points. While much of the activity is exploratory, the inherent risk of the vulnerability suggests that successful exploitation could swiftly escalate to data extraction or privilege escalation.
Recommendations for Federal Agencies
Federal Civilian Executive Branch (FCEB) agencies have been advised to implement the available patches by May 27, 2026, to ensure comprehensive protection against potential threats. This proactive measure is crucial in safeguarding against any further exploitation attempts that might capitalize on the uncovered flaw.
As the cybersecurity landscape continues to evolve, swift action and adherence to security advisories remain essential in mitigating risks associated with vulnerabilities in widely-used platforms like Drupal.
