CISA Adds Drupal Core SQL Injection Vulnerability to KEV Catalog — CVE-2026-9082

Drupal Core contains a SQL injection vulnerability (CWE-89) in its database abstraction API that affects installations using PostgreSQL as the database backend. The vulnerability is exploitable by anonymous users via specially crafted requests sent to affected Drupal sites. Drupal disclosed the issue on May 20, 2026, in security advisory SA-CORE-2026-004, rating it 'Highly critical.' CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog on May 22, 2026, after confirming active exploitation in the wild. Successful exploitation may lead to information disclosure, privilege escalation, remote code execution, or other follow-on attacks. Drupal warned administrators that exploits might be developed within hours or days of the public advisory.

The SQL injection is triggered via pre-authentication paths in Drupal Core when handling PostgreSQL queries. Public research identified /user/login?_format=json as one anonymous route to the vulnerable code sink. Attackers can craft malicious requests that inject SQL commands into the database abstraction layer, bypassing authentication and executing arbitrary SQL operations. The flaw affects Drupal Core versions from 8.9.0 through multiple 10.x and 11.x branches before fixed releases.

Drupal Core installations using PostgreSQL database backend: Drupal 8.9.0 before 10.4.10; 10.5.x before 10.5.10; 10.6.x before 10.6.9; 11.0.x and 11.1.x before 11.1.10; 11.2.x before 11.2.12; 11.3.x before 11.3.10. Installations using MySQL, MariaDB, or SQLite are not affected by the SQL injection component but should still update for bundled Symfony and Twig security fixes.

Upgrade immediately to the fixed Drupal Core version for your running branch: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10. For end-of-life branches (Drupal 8.x, 9.x, and older 10.x and 11.x minors), Drupal released exceptional best-effort patches; however, migration to a supported branch is the only long-term security solution. Confirm whether your installation uses PostgreSQL; if not, the SQL injection does not apply, but updates are still recommended for other security fixes. Review logs from May 18, 2026, onward for abnormal POST traffic to /user/login?_format=json, 500 error responses, or unusual JSON:API requests. Federal agencies must remediate by May 27, 2026, per CISA KEV guidance.