Drupal SQL Injection Now Under Active Attack — 15K Exploits in 48 Hours

Attackers wasted no time weaponizing Drupal's highly critical SQL injection flaw. Within 48 hours of the May 20 patch release, security researchers observed over 15,000 exploitation attempts targeting nearly 6,000 sites across 65 countries.

CVE-2026-9082 allows unauthenticated attackers to inject arbitrary SQL queries through Drupal's database abstraction API—but only against sites running PostgreSQL backends. That limitation narrows the attack surface considerably, yet attackers are clearly prioritizing the roughly 5% of Drupal installations that meet the criteria.

What Makes This Flaw Dangerous

Google/Mandiant researcher Michael Maturi discovered the vulnerability in Drupal core's database abstraction layer. The flaw scored 23/25 on Drupal's internal severity scale, translating to "highly critical" status.

The attack requires:

• No authentication — anonymous users can trigger it
• No access complexity — default configurations are vulnerable
• PostgreSQL database — MySQL, MariaDB, and SQLite are not affected

Once exploited, attackers can achieve information disclosure, privilege escalation, and in some configurations, remote code execution. The combination of anonymous access and zero complexity makes this a trivial attack for anyone with basic SQL injection knowledge. Organizations unfamiliar with SQL injection risks should review our data breach fundamentals guide for context on how these flaws lead to compromise.

Attack Statistics Paint a Grim Picture

Imperva researchers reported observing 15,000+ exploitation attempts against nearly 6,000 sites in the first 48 hours. Almost half targeted gaming and financial services sites—sectors where credential theft and financial data access offer immediate monetization paths.

The speed of exploitation mirrors patterns we've seen with other critical CMS vulnerabilities this year. Sophisticated threat actors now reverse-engineer patches within hours, building working exploits before most administrators have even scheduled maintenance windows.

CISA Adds to KEV Catalog

CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog on May 22, 2026, confirming active exploitation. Federal agencies face a remediation deadline under Binding Operational Directive 22-01.

This marks the latest in a series of CMS flaws CISA has flagged this month—we've also tracked CISA's additions of Microsoft Defender legacy flaws and Cisco SD-WAN authentication bypass in recent days.

Who Needs to Act

If you run Drupal on PostgreSQL, patch immediately. The vulnerability affects:

• Drupal 8.9.x (end of life, but patched)
• Drupal 10.4.x through 10.6.x
• Drupal 11.0.x through 11.3.x

Patched versions include 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10.

Mitigation Steps

1. Update Drupal core to the latest patched version for your branch
2. Review access logs for suspicious POST requests to database-interacting endpoints
3. Check PostgreSQL logs for unusual query patterns or errors
4. Consider WAF rules to block common SQL injection payloads as a temporary measure
5. Audit user tables for unauthorized privilege escalation or new admin accounts

Organizations running MySQL or MariaDB are not vulnerable to this specific flaw but should still update—future vulnerabilities may not be so selective.

Why This Matters

The five-percent figure for PostgreSQL adoption understates the risk. Many high-value targets—universities, government agencies, large enterprises—chose PostgreSQL for its enterprise features and scalability. These are exactly the organizations attackers prioritize.

Gaming and financial services sites face the most intense targeting so far, but that's likely opportunistic rather than deliberate. As exploitation tools spread through underground forums, expect the targeting to broaden. If you're running Drupal on PostgreSQL, the time to patch was yesterday.

For organizations still evaluating their exposure, Drupal's official security advisory provides additional technical context and version-specific guidance.