“The risk score has been updated to reflect that exploit attempts are now being detected in the wild,” reads Drupal’s updated advisory — a terse sentence that changes this week’s vulnerability from hypothetical to active threat.
CVE-2026-9082: what the flaw does and who found it
The vulnerability, tracked as CVE-2026-9082, was disclosed in a Drupal PSA published May 18 and updated on May 22. It was discovered by Google/Mandiant researcher Michael Maturi and affects Drupal’s database abstraction API. According to the advisory, specially crafted requests can trigger arbitrary SQL injection on sites that use PostgreSQL.
The advisory warns the flaw is exploitable without authentication and that successful exploitation could lead to remote code execution, privilege escalation, and information disclosure — outcomes that put site integrity and stored data at risk.
Detection in the wild and Drupal’s severity assessment
Drupal’s May 22 update changes the immediate posture: exploit attempts have been observed. The project raised its internal risk score to 23 out of 25 and labeled the vulnerability “highly critical.” In contrast, the National Institute of Standards and Technology (NIST) assigns CVE-2026-9082 a CVSS v3 score of 6.5, rating it “medium severity.” The two assessments sit side-by-side in the record published by Drupal and NIST.
Affected branches and the upgrade guidance
- Drupal 8.9.x
- Drupal 10.4.x before 10.4.10
- Drupal 10.5.x before 10.5.10
- Drupal 10.6.x before 10.6.9
- Drupal 11.0.x / 11.1.x before 11.1.10
- Drupal 11.2.x before 11.2.12
- Drupal 11.3.x before 11.3.10
The PSA urges website owners and administrators to upgrade immediately to the latest version available for their branch. Drupal additionally advises that even sites not using PostgreSQL should apply the updates: the security release also contains fixes for upstream dependencies including Symfony and Twig.
Drupal notes that versions 8 and 9 are end-of-life and receive patches only on a “best-effort” basis; the project says those branches still contain other known vulnerabilities, making continued use inherently risky.
What this means for technologists, procurement leads, and end users
- Technologists and security teams: The advisory explicitly urged administrators to reserve time for core updates. Given the advisory’s confirmation of exploitation attempts and the vulnerability’s ability to be triggered without authentication, teams should prioritize applying the security updates for their Drupal branch and review PostgreSQL-backed sites first.
- Affected enterprises and procurement leaders: The notice that Drupal 8 and 9 are EoL and that patches for those branches are provided on a “best-effort” basis should inform purchasing and maintenance decisions — continuing to operate on EoL branches carries acknowledged, ongoing risk.
- End users and site visitors: Because the flaw can lead to information disclosure and the advisory confirms exploit attempts, data hosted on vulnerable Drupal sites may be at increased risk until sites are patched. Site owners are advised to complete upgrades immediately.
Where sites and administrators stand today
The timeline is short: Drupal published the advisory on May 18 and confirmed active exploitation attempts in an update on May 22. The vulnerability’s PostgreSQL-specific impact, its unauthenticated exploitability, and the fact that the advisory couples immediate upgrade recommendations with upstream dependency fixes combine to make this a critical maintenance window for operators running affected branches.
Administrators who cannot immediately upgrade should still plan for expedited patching, prioritize PostgreSQL-backed instances, and assume that exploitation attempts are occurring in the wild until evidence proves otherwise. For sites running EoL branches, the advisory’s “best-effort” patching posture is an explicit signal that migration to a supported branch or platform should be part of the remedial plan.
Original reporting: https://www.bleepingcomputer.com/news/security/drupal-critical-sql-injection-flaw-now-targeted-in-attacks/




