Drupal Core SQL Injection (CVE-2026-9082): Critical Patch Required as CISA Remediation Deadline Passes

nick

Drupal Core SQL Injection (CVE-2026-9082): Critical Patch Required as CISA Remediation Deadline Passes

by

Drupal has disclosed a critical SQL injection vulnerability in Drupal Core, tracked as CVE-2026-9082, that carries a CVSS score of 9.8. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog and is being actively exploited in the wild. As of May 28, 2026, the CISA-mandated remediation deadline of May 27, 2026 has now passed — meaning any organization still running an unpatched Drupal instance is operating past the federal deadline and remains at direct risk of exploitation.

What Is the Vulnerability?

CVE-2026-9082 is an SQL injection vulnerability in the Drupal Core database abstraction API. The flaw arises from improper neutralization of special elements used in SQL commands, allowing an unauthenticated attacker to inject malicious SQL statements through specially crafted requests. According to CISA, successful exploitation could lead to privilege escalation and remote code execution — giving an attacker full control over the affected Drupal instance and the underlying server.

The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and carries the maximum severity rating:

  • CVSS v3.1 Score: 9.8 (Critical)
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Impact: High on confidentiality, integrity, and availability (C:H/I:H/A:H)

Which Versions Are Affected?

The vulnerability affects a wide range of Drupal Core versions across multiple major release branches:

  • Drupal 8.9.0 through versions prior to 10.4.10
  • Drupal 10.5.0 through versions prior to 10.5.10
  • Drupal 10.6.0 through versions prior to 10.6.9
  • Drupal 11.0.0 through versions prior to 11.1.10
  • Drupal 11.2.0 through versions prior to 11.2.12
  • Drupal 11.3.0 through versions prior to 11.3.10

If your Drupal installation falls within any of these version ranges, it is vulnerable and requires immediate patching.

Is It Being Exploited in the Wild?

Yes. CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog on May 22, 2026 — only two days after the vulnerability was published on May 20. Inclusion in the KEV catalog means CISA has confirmed active exploitation. The vulnerability’s characteristics — network-accessible, low complexity, no authentication or user interaction required — make it an attractive target for automated scanning and mass exploitation campaigns. Given that the remediation deadline has now passed and public awareness is high, the window for attackers to target unpatched systems is wide open.

What Is the Fix?

Drupal has released patched versions that address CVE-2026-9082. The official security advisory, SA-CORE-2026-004, is available at the Drupal Security Advisories page:

https://www.drupal.org/sa-core-2026-004

Organizations should upgrade to the following fixed versions based on their current Drupal release branch:

  • Drupal 10.4.x: Upgrade to 10.4.10 or later
  • Drupal 10.5.x: Upgrade to 10.5.10 or later
  • Drupal 10.6.x: Upgrade to 10.6.9 or later
  • Drupal 11.1.x: Upgrade to 11.1.10 or later
  • Drupal 11.2.x: Upgrade to 11.2.12 or later
  • Drupal 11.3.x: Upgrade to 11.3.10 or later

Recommendations

Apply the patch immediately. This is not a theoretical risk — active exploitation is confirmed, and automated attacks are likely underway. The CISA remediation deadline of May 27, 2026 has now passed, and organizations operating unpatched Drupal instances are non-compliant with Binding Operational Directive 22-01 for federal agencies and are taking on unacceptable risk regardless of sector.

Audit your Drupal inventory. Identify all Drupal instances in your environment — including development, staging, and lesser-known deployments — and verify their version against the affected ranges listed above. Pay special attention to older Drupal 8.x and 9.x installations that may have been upgraded to early 10.x versions and forgotten.

Check for signs of compromise. If you have been running a vulnerable version, conduct a forensic review of your Drupal logs, database logs, and web server access logs for unusual queries or unauthorized access patterns. Given the SQL injection nature of this vulnerability, examine your database for unexpected administrative users, modified content, or injected scripts.

Implement web application firewall rules. While patching is the only complete remediation, WAF rules targeting SQL injection patterns in Drupal-specific request paths can provide a temporary layer of defense for instances that cannot be patched immediately.

Monitor Drupal’s security advisory page for any follow-up guidance or additional patches related to this vulnerability.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — May 28, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities as of today, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!