CVE-2026-9082 is an SQL injection vulnerability discovered in Drupal's database abstraction API affecting PostgreSQL-powered sites. It can be exploited without authentication via specially crafted requests, enabling attackers to execute arbitrary SQL commands. The vulnerability was publicly disclosed and patched by the Drupal security team after detection of active exploitation attempts. Over 15,000 attacks targeting nearly 6,000 sites across 65 countries have been observed, primarily against gaming and financial services websites. CISA has added this vulnerability to its KEV Catalog and issued a Binding Operational Directive requiring U.S. federal agencies to patch by May 27, 2026. The vulnerability poses risks including data leakage, privilege escalation, and remote code execution.

The vulnerability enables unauthenticated attackers to perform arbitrary SQL injection on PostgreSQL-backed Drupal sites, potentially leading to information disclosure, privilege escalation, and remote code execution. Active exploitation attempts have been confirmed in the wild, with significant attack volume targeting thousands of sites globally. The vulnerability affects large organizations including government, educational, and enterprise sectors. Unpatched instances remain exposed, particularly in North America and Europe, increasing risk of compromise.

Patches for CVE-2026-9082 have been released by the Drupal security team and should be applied immediately. CISA has mandated U.S. federal agencies to patch by May 27, 2026, under Binding Operational Directive 22-01. Organizations outside the federal government are strongly urged to apply the patches promptly to reduce exposure. If patches cannot be applied, follow any vendor-provided mitigations or consider discontinuing use of affected Drupal versions. Monitoring vendor advisories for updates is recommended. No indication of 'no action required' or pre-mitigation status was provided.