Drupal hit by active SQL injection

1/ Drupal’s May 20 advisory for CVE-2026-9082 is a reminder that the patch window for internet-facing software can collapse almost immediately. Drupal said exploits might be developed “within hours or days” before releasing fixes; by May 22 it updated the advisory to say exploit attempts were being detected in the wild. (drupal.org) 2/ The flaw is in Drupal core’s database abstraction API and affects sites using PostgreSQL. Drupal said a specially crafted request can trigger arbitrary SQL injection, and that anonymous users can exploit it. The project warned the issue can lead to information disclosure and, in some cases, privilege escalation, remote code execution or other attacks. (drupal.org) 3/ The scope matters. Drupal’s advisory says affected versions span multiple supported and unsupported branches: 10.4.x before 10.4.10, 10.5.x before 10.5.10, 10.6.x before 10.6.9, 11.0.x and 11.1.x before 11.1.10, 11.2.x before 11.2.12, and 11.3.x before 11.3.10. Drupal 8.9 and 9.5 received best-effort patches even though those lines are end-of-life. (drupal.org) 4/ The narrowest technical point is also the most important one operationally: this is not “all Drupal sites.” Drupal said the SQL injection issue only affects sites using PostgreSQL, though the coordinated releases also bundled security updates for Symfony and Twig that Drupal recommended all sites install. (drupal.org) 5/ Akamai said the exploit path is tied to how PHP array keys are parsed and then passed into Drupal’s PostgreSQL driver. Its researchers said the exposure primarily affects PostgreSQL-backed environments that use JSON:API core, Views exposed filters, or Entity autocomplete endpoints. That is a vendor analysis, not Drupal’s own exploitability matrix, but it gives defenders a sharper triage path than “patch everything later.” (akamai.com) 6/ The speed of follow-on action was also notable. CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog on May 22, citing evidence of active exploitation, and the catalog entry lists a remediation due date of May 27 for federal civilian agencies. (cisa.gov) 7/ That sequence — pre-announcement on May 18, fixes on May 20, in-the-wild exploitation noted on May 22, KEV listing the same day — is the story. It shows how little separation there now is between disclosure, patch release and attacker use for exposed web software. (drupal.org) 8/ Drupal’s own language was unusually direct before release. The security team told users to reserve time during the May 20 release window because “exploits might be developed within hours or days,” and said mitigation information would be included in the advisory. That is effectively a warning that standard maintenance cycles may be too slow for some classes of web exposure. (drupal.org) 9/ The practical lesson for defenders is straightforward. If you run Drupal on PostgreSQL, patch first and ask architecture questions second; if you cannot patch immediately, move to compensating controls around the affected application paths, tighten monitoring, and confirm whether exposed features such as JSON:API or Views filters are in use. Drupal and Akamai both point administrators to the official advisory and patched releases as the immediate response path. (drupal.org) 10/ The patched targets Drupal named are 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10 and 10.4.10, with manual patch guidance for 9.5 and 8.9. For federal agencies, CISA’s KEV entry sets May 27, 2026 as the action date. (drupal.org)