Drupal Core CVE-2026-9082 exploitation

Summary

CVE-2026-9082 is a highly critical Drupal Core SQL-injection vulnerability added to CISA KEV on 2026-05-22. CISA states that Drupal Core contains a SQL injection issue that can allow privilege escalation and remote code execution via specially crafted requests sent through the database abstraction API. Akamai's technical analysis narrows the highest-risk exploit path to Drupal sites using PostgreSQL with JSON:API, Views exposed filters, Entity autocomplete endpoints, or similar routing/data pipelines that preserve attacker-controlled PHP array keys into EntityQuery conditions.

The durable threat-intelligence value is active-exploitation prioritization: PostgreSQL-backed Drupal 10/11 and older unsupported Drupal 8/9 deployments should be treated as urgent internet-facing application exposure when JSON:API or Views-style request paths are reachable.

Why this matters

Drupal remains common on internet-facing government, education, nonprofit, and enterprise sites, so a KEV-listed unauthenticated SQL-injection class bug is likely to attract fast scanning and opportunistic exploitation.
Akamai notes the exploit primitive is unusual because attacker-controlled PHP array keys, not just parameter values, can flow into database placeholder handling.
Successful exploitation can support authentication bypass, sensitive-data theft such as password-hash extraction, blind data extraction, privilege escalation, or follow-on code execution depending on site configuration.
Unsupported Drupal 8/9 branches are structurally exposed if they include the vulnerable PostgreSQL-backed code path and cannot rely on normal upstream support.

Operational characteristics

Affected stack: Drupal Core using PostgreSQL plus JSON:API, Views exposed filters, Entity autocomplete, or related routing/modules that preserve HTTP array keys into EntityQuery construction.
Parsing primitive: PHP request parsing lets attackers control array keys; Akamai reports those keys can reach the PostgreSQL driver condition-building path without adequate sanitization.
Potential outcomes: arbitrary SQL injection, subquery-based blind extraction, password-hash exposure, authentication bypass, privilege escalation, and remote code execution paths described by CISA/technical analysis.
Version scope: Akamai describes affected supported Drupal 10 and 11 branches, plus retired Drupal 10.x/11.x branches and legacy Drupal 8/9; Drupal 7 is structurally different and does not include JSON:API in core.
Exploitation status: CISA added CVE-2026-9082 to KEV on 2026-05-22 with a 2026-05-27 remediation due date for covered federal agencies.

Defender heuristics

Prioritize emergency patching or isolation for internet-facing Drupal sites backed by PostgreSQL, especially those exposing JSON:API, Views exposed filters, or Entity autocomplete endpoints.
Search web logs and WAF telemetry for unusual nested query parameters, encoded array-key payloads, JSON:API filter abuse, anomalous SQL syntax in parameter names, and repeated blind-extraction timing patterns.
Review Drupal user/admin changes, role grants, configuration edits, new modules/themes, suspicious PHP files, and unexpected cron or web-shell artifacts after any suspected exploit window.
Rotate Drupal admin credentials and database credentials after confirmed exploitation; preserve access logs, WAF events, Drupal watchdog logs, database logs, and filesystem mtimes first.
Keep WAF SQL-injection rules in block mode as a compensating control, but do not treat WAF coverage as a substitute for applying Drupal Core patches.

Sources

CISA KEV catalog: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Drupal security advisory: https://www.drupal.org/sa-core-2026-004
Akamai Security Research: https://www.akamai.com/blog/security-research/cve-2026-9082-mitigating-critical-sql-injection-drupal
CVE record: https://www.cve.org/CVERecord?id=CVE-2026-9082