Overview
Drupal has issued an urgent warning that threat actors are actively attempting to exploit a highly critical SQL injection vulnerability (CVE-2026-9082) in Drupal Core — with exploitation attempts confirmed within days of the flaw's public disclosure and initial patch release.
The rapid weaponization of this vulnerability follows a well-established pattern with Drupal flaws: attackers monitor security advisories and immediately begin automated scanning and exploitation of sites that have not yet applied patches. Site administrators must treat this as a zero-delay patching emergency.
The Vulnerability
CVE-2026-9082 is a SQL injection vulnerability in Drupal Core — Drupal's description of the flaw as "highly critical" reflects the maximum severity rating in Drupal's own advisory system, typically reserved for vulnerabilities that can be exploited with minimal authentication requirements and lead to significant compromise.
| Field | Value |
|---|---|
| CVE | CVE-2026-9082 |
| CVSS Score | 6.5 (Medium-High) |
| Drupal Severity | Highly Critical |
| Type | SQL Injection |
| Affected | Drupal Core (multiple versions) |
| Status | Under active exploitation |
| CISA KEV | Added May 23, 2026 |
SQL injection in a CMS like Drupal is particularly dangerous because:
- Authentication may not be required — attackers can exploit the flaw without needing a valid account
- Database access often leads to credential theft, enabling further compromise
- Admin account takeover is achievable if password hashes are extracted and cracked
- Web shell deployment can escalate a SQL injection to full server control
Exploitation Timeline
The speed from disclosure to active attacks is concerning:
| Stage | Timing |
|---|---|
| Drupal patches and advisory published | Day 0 |
| Security researchers analyze the flaw | Day 0–1 |
| Proof-of-concept code circulates underground | Day 1–2 |
| Automated scanning begins | Day 2–3 |
| Active exploitation confirmed — Drupal issues warning | Day 3–5 |
| CISA adds to KEV catalog | Day 3–5 |
This timeline is consistent with Drupalgeddon precedents (2014, 2018) where attacks began within hours to days of major Drupal advisories. Administrators who delay patching beyond the initial disclosure window face rapidly escalating risk.
What Attackers Are Doing
Based on current exploitation patterns with Drupal vulnerabilities and SQL injection attacks more broadly, active threat actors are likely:
Automated scanning:
- Mass scanning the internet for Drupal installations using version fingerprinting
- Identifying which sites are running vulnerable Drupal Core versions
- Prioritizing high-value targets — government, healthcare, financial, and education sites
Exploitation goals:
- Credential harvesting — extracting user password hashes for offline cracking
- Admin account creation — adding backdoor administrator accounts
- Web shell installation — deploying PHP shells for persistent access
- Data exfiltration — stealing stored PII, financial data, or proprietary information
Post-exploitation:
- Installing cryptocurrency miners on compromised servers
- Adding sites to DDoS botnets
- Using compromised sites as phishing distribution platforms
- Selling access to compromised sites on underground markets
Who Is At Risk
Any organization running Drupal Core versions affected by CVE-2026-9082 is at risk. Drupal's widespread use across:
- Government portals (federal, state, and municipal)
- University and academic websites
- Healthcare provider portals
- Non-profit and NGO sites
- Enterprise content and intranet sites
...means the attack surface is extremely broad. Shared hosting environments where many Drupal sites coexist are particularly vulnerable, as a single successful attack can enable lateral movement across multiple hosted properties.
Immediate Remediation Steps
Priority 1 — Patch immediately:
- Review the Drupal security advisory at drupal.org/security for the exact affected versions and patched releases
- Update Drupal Core to the patched version — do not wait for a scheduled maintenance window
- Test the update in a staging environment if possible, but do not let testing delay production patching by more than hours
Priority 2 — Assess exposure:
- Identify all Drupal installations in your environment (including staging/dev sites)
- Check if WAF/CDN rules for SQL injection protection are active
- Review recent access logs for evidence of exploitation (unusual SQL patterns, error spikes, unexpected admin account creation)
Priority 3 — Detect compromise: Signs your Drupal site may already be compromised:
- Unexpected admin user accounts added in recent days
- Modified PHP files in the Drupal core directory
- Unusual outbound network connections from the web server
- Database query logs showing anomalous SELECT or UNION statements
- Unexplained spikes in CPU/network usage
Priority 4 — Report and recover:
- If compromise is confirmed, take the site offline immediately
- Engage incident response — full forensic analysis is required
- Restore from a known-clean backup taken before the exploitation window
- Notify affected users if personal data may have been accessed
The "Highly Critical" Label
Drupal uses a non-standard severity scale for its own advisories:
| Drupal Rating | Description |
|---|---|
| Highly Critical | Remote exploit, no authentication required |
| Critical | Significant impact, may require some access |
| Moderately Critical | Significant impact but with mitigating factors |
| Less Critical | Limited impact or requires significant access |
| Not Critical | Minimal impact |
CVE-2026-9082's "Highly Critical" classification means Drupal's security team assessed this as exploitable remotely with minimal or no authentication — the most dangerous category in their system.
Sources
- BleepingComputer — Drupal: Critical SQL injection flaw now targeted in attacks