CVE-2026-9082 patch – CISA has added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog and ordered U.S. federal agencies to patch a Drupal SQL injection flaw by midnight Wednesday, May 27—after attackers were observed probing thousands of sites across dozens of countries
It’s not the kind of vulnerability that waits politely for a software update. CISA has given U.S. government agencies a hard deadline—Wednesday evening—to secure servers against a Drupal SQL injection flaw it flagged as actively exploited.
The issue is tied to CVE-2026-9082. a database abstraction API problem in Drupal that was discovered by Google/Mandiant researcher Michael Maturi. Drupal is widely used by large organizations running massive data structures and multi-site installations. including government entities. educational organizations. major research universities. and high-profile enterprise and media organizations—so the blast radius goes well beyond a niche content platform.
Attackers can exploit the flaw without authentication, using specially crafted requests to trigger arbitrary SQL injection on PostgreSQL-powered sites. If that succeeds, the consequences can stack quickly: information disclosure, privilege escalation, and even remote code execution.
Drupal’s security team tagged the vulnerability as “highly critical” before releasing patches and confirming exploitation attempts were already detected in the wild. The scale of that probing has become impossible to ignore. On May 21, Imperva warned it had observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries. The firm said the attacks are primarily targeting Gaming and Financial Services sites so far. making up almost 50% of all attacks.
While those figures reflect attempts already in motion, the Internet security watchdog group Shadowserver now tracks nearly 670 unpatched Drupal installations exposed online. Most of those exposed instances are in North America (272) and Europe (273).
CISA moved the issue into a faster lane on Friday. adding the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and ordering Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday. May 27. The requirement is backed by Binding Operational Directive (BOD) 22-01, which applies to U.S. federal agencies.
For everyone else, the urgency still lands. Even though BOD 22-01 is limited to FCEB agencies. CISA advised all defenders—including those in the private sector—to apply CVE-2026-9082 patches as soon as possible to secure their organizations’ devices. The agency said it urges organizations to prioritize timely remediation of KEV Catalog vulnerabilities as part of vulnerability management practice.
CISA also spelled out what it expects organizations to do in the meantime: “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
There’s a reason for the pressure. Over the last several years, CISA has flagged 5 Drupal vulnerabilities that have been exploited in the wild, two of which have also been abused in ransomware attacks.
CISA Drupal CVE-2026-9082 SQL injection PostgreSQL KEV Catalog BOD 22-01 cybersecurity Mandiant Imperva Shadowserver ransomware