What is CVE-2026-9082?
CVE-2026-9082 is an unauthenticated SQL injection vulnerability in Drupal core's database abstraction API, in the path that handles EntityQuery conditions against PostgreSQL backends. User-controllable PHP array keys reach SQL placeholder construction without sanitization, letting a remote attacker inject arbitrary SQL by sending crafted HTTP requests to a vulnerable site.
The vulnerability carries a CVSS v3.1 base score of 6.5 (Medium) per NVD. Drupal's own scoring rates the flaw 20/25 ("Highly Critical") in the original advisory SA-CORE-2026-004, and the advisory was later updated to 23/25 once exploit attempts began appearing in the wild.
The gap between the two scores reflects what the CVSS base does not capture: anonymous reachability, the operational cost of a compromised CMS database, and the privilege-escalation pivots available once arbitrary SQL is reachable.
No authentication is required. Successful exploitation grants the attacker read and write access to the Drupal database, which is enough on its own to exfiltrate session tokens and password hashes, alter content, or promote standard accounts to administrator. Where the PostgreSQL service runs with elevated privileges, COPY FROM PROGRAM opens a direct path to shell execution on the underlying host, turning the SQL injection into remote code execution.
CISA added CVE-2026-9082 to the Known Exploited Vulnerabilities catalog on May 22, 2026, two days after the patch released. Imperva reported attacker activity targeting the flaw within 48 hours of disclosure.
What assets are affected by CVE-2026-9082?
The vulnerability affects Drupal core versions 8.9.0 through 11.3.9 when running on a PostgreSQL backend. Sites on MySQL, MariaDB, or SQLite are not affected by this specific issue, because the flawed code path is in the PostgreSQL driver's handling of structural query components. Drupal 7 is not affected.
In practice, an affected asset is an internet-facing Drupal site running an unpatched 8.x, 9.x, 10.x, or 11.x branch with PostgreSQL behind it. These deployments are common in higher education, government, media, and large enterprise communications properties.
Drupal's content-modeling flexibility tends to win out in those environments, and PostgreSQL is often the institutional database standard. Many such sites run for years between major version upgrades, and many sit behind partner agencies, acquired brands, or campaign microsites that the central security team does not own.
Drupal estimates that under 5 percent of installations run on PostgreSQL. Across the hundreds of thousands of public Drupal sites, that still leaves thousands of internet-reachable targets, concentrated in the segments where Drupal adoption is strongest.
What does our data show about exposure patterns?
Exposure in this set is led by Consumer Staples at 31.7% of observed assets, with Industrials contributing 23.7%. Communication Services accounts for another 9.6%, and the long tail across the remaining sectors makes up the rest.
The Consumer Staples concentration tracks a specific operational pattern: large food, beverage, and household-goods companies run sprawling portfolios of brand, regional, and campaign sites, many of them inherited through acquisition and maintained by external agencies on whatever stack the agency knows.
Drupal is a frequent choice for these properties, and the sites tend to outlive the campaigns that produced them. Industrials shows a similar shape for a different reason. Investor relations sites, customer portals, and subsidiary microsites accumulate across business units, and central IT often has limited visibility into what each unit is actually running.
The cross-sector pattern points to the same underlying driver in every case: forgotten infrastructure. Affected assets are rarely the flagship corporate site. They are the brand site no one remembers commissioning, the localized property that survived a market exit, the legacy portal that quietly stayed online after the team that owned it was reorganized.
The PostgreSQL-only nature of this flaw also means defenders cannot rely on a single vendor inventory to find their exposure. Sites need to be discovered, fingerprinted to the level of database driver, and matched to a specific Drupal branch. That is hard to do from an internal asset list.
Are fixes available?
Patches are available. Drupal released fixes across all six supported branches on May 20: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. The security team also published exceptional patches for the end-of-life 8.9 and 9.5 branches, given the severity and the volume of legacy installations.
The advisory recommends upgrading to the patched release matching the current branch (11.3.x to 11.3.10, 11.2.x to 11.2.12, 11.1.x or 11.0.x to 11.1.10, 10.6.x to 10.6.9, 10.5.x to 10.5.10, 10.4.x or earlier to 10.4.10). Drupal 8 and 9 sites should treat the exceptional patches as a stopgap rather than a long-term position, because other unpatched issues remain in those branches.
Managed Drupal platforms have varied in their response. Pantheon, for example, applied a platform-level mitigation before public disclosure as part of the Drupal Steward program, and does not deploy PostgreSQL for its hosted sites. Defenders should verify patch status directly with their hosting provider rather than assume any specific platform-level fix is in place.
Are there any other recommended actions to take?
Until patching is confirmed, defenders should:
- Inventory all Drupal sites and identify the ones running on PostgreSQL
- Restrict anonymous access to vulnerable endpoints at the WAF layer
- Monitor PostgreSQL logs for unexpected query patterns, including any use of
COPY FROM PROGRAM - Audit recent user-role changes for unauthorized administrator promotions
- Drop database service privileges to the minimum needed for normal operation
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-9082 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
