Drupal Core SQLi bug exploited, added to CISA KEV

What Happened

Drupal has issued an urgent warning that threat actors are actively exploiting a critical SQL injection vulnerability in Drupal Core, tracked as CVE-2026-9082. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, rated “highly critical” by Drupal, was patched earlier this week in the latest security release. Organizations running unpatched Drupal Core installations are at immediate risk of data compromise, including database exfiltration and unauthorized administrative access.

Why It Matters

Drupal powers approximately 1% of all websites globally, including numerous government agencies, universities, and enterprise content management systems. The CISA KEV designation means U.S. federal civilian agencies must patch within a mandated timeframe, but the implications extend far beyond government networks. An SQL injection bug in Drupal Core allows an attacker to execute arbitrary SQL queries against the underlying database. This can lead to complete compromise of the CMS, theft of user credentials and personal data, defacement, and potential lateral movement into connected infrastructure. For organizations with Drupal handling sensitive data or serving as a public-facing portal, this is a maximum-urgency event.

Technical Details

CVE-2026-9082 is a SQL injection vulnerability in Drupal Core’s database abstraction layer. The flaw exists in how the system handles certain database queries, allowing an unauthenticated remote attacker to inject malicious SQL commands. Because the vulnerability is in Core, it affects all major Drupal versions, including Drupal 10 and Drupal 11 branches, prior to the patched releases (10.3.x versions before 10.3.12, and 11.0.x versions before 11.0.8, as of the latest advisory). Drupal has released patches and updated releases; no workaround is available. Public proof-of-concept (PoC) code has been published, accelerating the threat landscape. The CISA KEV entry confirms that active exploitation is underway, with researchers observing targeted attacks likely aimed at data extraction and persistent backdoor installation.

Immediate Risk

The risk is critical. Any organization running an unpatched Drupal Core instance should treat this as a probable compromise scenario. Attackers require no authentication to trigger the injection. The window to patch has effectively closed - exploitation is confirmed in the wild. Organizations should immediately verify their Drupal version, apply the latest security update, and audit database and application logs for signs of SQL injection attempts, unusual queries, or unauthorized administrative actions. If logs are unavailable or retention is limited, assume compromise and initiate incident response procedures, including credential rotation and database integrity checks.

Security Insight

This Drupal Core SQLi incident mirrors the pattern of the infamous CVE-2018-7600 (Drupalgeddon 2) remote code execution vulnerability, which saw widespread exploitation within days of disclosure. The key defensive lesson is that CMS Core SQL injection should be treated with the same urgency as RCE, because it can achieve the same outcome - complete database compromise - without the need for code execution. For security teams, this reinforces the need for web application firewall (WAF) rules that can detect and block SQL injection patterns even before a patch is applied, and for database activity monitoring that flags anomalous query structures. Do not rely on patch-only defense for CMS core vulnerabilities; assume there will always be a gap between patch release and mass exploitation.

Further Reading

• Drupal core SQLi actively exploited (CVE-2026-9082) [PoC]
• Latest Security News
• CVE Advisories
• Data Breach Reports