CVE-2026-9082 SQL – Drupal says attackers are now probing a “highly critical” SQL injection flaw it warned about earlier this week. Tracked as CVE-2026-9082, the bug is exploitable without authentication on PostgreSQL-backed sites, and Drupal has updated its advisory to reflect d
By the time many administrators had finished their first round of patch planning, the clock Drupal set in its warning was already starting to run.
On May 18. the Drupal project issued a PSA saying hackers could begin exploiting a “highly critical” SQL injection vulnerability addressed in core updates within “hours or days.” That warning has now moved from theory to closer. harder reality. In an advisory update dated May 22, Drupal confirmed exploitation attempts have been detected.
The vulnerability is tracked as CVE-2026-9082. It was discovered by Michael Maturi, a Google/Mandiant researcher, and it targets Drupal’s database abstraction API. For sites using PostgreSQL, specially crafted requests can trigger arbitrary SQL injection.
SQL injection is the kind of flaw that lets attackers slip malicious SQL commands into database queries through user-controlled input fields or dialogs. In this case, Drupal says the bug is exploitable without authentication—an important detail when defending public-facing sites. The potential outcomes are severe: remote code execution, privilege escalation, and information disclosure.
Drupal rated CVE-2026-9082 as “highly critical,” assigning it an internal score of 23 out of 25. NIST, however, rated it as medium severity with a CVSS v3 score of 6.5.
The gap between those scores matters because the practical message is urgent and plain: Drupal is telling operators to upgrade immediately.
CVE-2026-9082 impacts a broad range of Drupal versions, including Drupal 8.9.x; Drupal 10.4.x before 10.4.10; Drupal 10.5.x before 10.5.10; Drupal 10.6.x before 10.6.9; and Drupal 11.0.x / 11.1.x before 11.1.10. It also affects Drupal 11.2.x before 11.2.12 and Drupal 11.3.x before 11.3.10.
Drupal’s guidance goes beyond the database piece. Even for operators not using PostgreSQL, the project says they should still update, because the latest security updates include fixes for upstream dependencies—including Symfony and Twig.
The advisory carries an additional warning for organizations that may be stuck on older branches. Drupal says Drupal 8 and 9 are end-of-life (EoL), and patches are provided on a “best-effort” basis. Those branches may still contain other known vulnerabilities, meaning continued use is inherently risky.
One May 22 update changed the tone of the entire situation: Drupal did not just describe a vulnerability that could be exploited—it confirmed attempts are being observed in the wild. For administrators, the problem is no longer whether to schedule the next patch window. It’s whether they can finish upgrading before opportunistic attackers make the most of a bug that needs no login to reach the database.
Drupal CVE-2026-9082 SQL injection PostgreSQL cybersecurity vulnerability Maturi Mandiant Google NIST CVSS v3 Symfony Twig remote code execution
So it’s just like hacking websites with SQL? Cool cool.
I don’t even know what Drupal is but if it says “hours or days” then yeah people are probably getting wrecked already. Why would anything be exploitable without authentication… that sounds backwards.
Wait did they patch it or not? The article says it was addressed in core updates but then says May 22 they detected exploitation attempts. That means the patch didn’t work, right? Or the attackers waited? Either way I’m confused.
“Highly critical” vs “medium” NIST is like… okay so which one is it? 6.5 vs 23/25 sounds like marketing math lol. Also PostgreSQL only? but then affects a bunch of Drupal versions, so basically every site uses it anyway, right? This is gonna be one of those things where everyone patches late and then acts surprised.