CVE-2026-9082 — a recently disclosed, actively exploited SQL injection vulnerability in Drupal — has prompted the U.S. Cybersecurity and Infrastructure Security Agency to order federal civilian agencies to patch systems by midnight on Wednesday, May 27.
CVE-2026-9082 and Drupal’s database abstraction API
Researcher Michael Maturi of Google/Mandiant discovered a vulnerability in Drupal’s database abstraction API that the Drupal security team classified as “highly critical.” The flaw permits unauthenticated attackers to trigger arbitrary SQL injection on PostgreSQL-powered Drupal sites via specially crafted requests. According to the advisory, successful exploitation can result in information disclosure, privilege escalation, and even remote code execution.
CISA and the BOD 22-01 deadline
On Friday, CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities Catalog and invoked Binding Operational Directive 22-01, ordering Federal Civilian Executive Branch agencies to remediate the vulnerability by midnight on Wednesday, May 27. The agency noted that BOD 22-01 applies only to FCEB agencies but said it “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.”
Drupal team patches and observed exploitation
The Drupal security team released patches and confirmed that exploitation attempts have been detected in the wild. Given that the vulnerability is exploitable without authentication, the availability of patches and the confirmation of active probing led CISA to prioritize the entry for federal remediation. The agency warned, “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”
Shadowserver count: nearly 670 exposed installations
Internet security watchdog Shadowserver is tracking nearly 670 unpatched Drupal installations that remain exposed online. The distribution reported by Shadowserver is concentrated in North America (272) and Europe (273). CISA’s notice and the Drupal security team’s alerts both point to the urgency of patching public-facing systems, particularly those running PostgreSQL backends that are susceptible to this specific injection vector.
What this means for government agencies, educational organizations, and enterprises
- Government agencies: Federal Civilian Executive Branch agencies must follow BOD 22-01 timelines and apply vendor mitigations or discontinue use where mitigations are unavailable. The directive sets a firm, agency-level remediation deadline of midnight on May 27.
- Educational organizations and major research universities: Because Drupal is commonly used by large organizations managing multi-site installations, patching will require coordination across campuses and research infrastructures that host many sites and databases — especially PostgreSQL-backed instances.
- Enterprises and media organizations: CISA explicitly urged defenders in the private sector to apply the CVE-2026-9082 patches as soon as possible. The advisory reiterated standard options: “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Over the past several years, CISA has flagged five Drupal vulnerabilities that were exploited in the wild, including two that were later abused in ransomware attacks — a record the agency cited in stressing rapid remediation. The combination of an unauthenticated injection vector, confirmed exploitation, and hundreds of internet-exposed installations creates a narrow window for defenders to act.
For organizations running Drupal, the immediate tasks are clear and concrete: inventory PostgreSQL-backed Drupal sites, apply the vendor’s patches, implement any recommended mitigations, and, where necessary, remove or isolate vulnerable instances until fixes are in place. For federal agencies, the deadline is explicit and binding. For the wider internet community, the advisory is urgent: attackers already probed this vector, and nearly 670 installations remain exposed online.
Read the original advisory: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-drupal-vulnerability/




