HIGH: Drupal Core SQL Injection Hits CISA KEV as Imperva Logs 15,000 Attacks

If you run Drupal and you haven't patched in the last seventy-two hours, stop reading this and go do that first. Then come back, because what's happening with CVE-2026-9082 is the textbook example of how fast modern attackers operationalize a fresh disclosure.

The Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on May 22, 2026, less than forty-eight hours after the Drupal Security Team released coordinated patches. That gap, the time between disclosure and exploitation at scale, used to be measured in weeks. Now it is measured in hours.

The flaw lives in Drupal's database abstraction API, the layer that translates Drupal's query builder into SQL for whatever backend the site happens to be running. CISA's advisory describes it bluntly, noting the bug could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. Translated out of regulator-speak, an unauthenticated attacker who can hit a vulnerable endpoint can potentially read or modify your database, escalate to administrator, and from there pivot to code execution on the host. The CVSS score sits at 6.5, which on paper looks moderate, but the practical impact when chained with Drupal's permission model leans much closer to critical territory.

Affected versions include everything below the patched releases of Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. Sites still running the legacy 9.5 or 8.9 branches need to apply manual patches, which Drupal has provided but which require operator intervention rather than the usual composer update. Anyone running a long-tail Drupal instance because it just works and nobody wants to touch it is exactly the kind of operator who is now in trouble.

Imperva's research team has been tracking the post-disclosure exploitation activity and the numbers are striking. Within days of the patch release, the company logged over fifteen thousand attack attempts targeting roughly six thousand distinct sites spread across sixty-five countries. Most of that traffic is what Imperva characterizes as probing rather than full compromise, attackers fingerprinting which sites are vulnerable before committing to the noisier business of data exfiltration or webshell deployment. About half of the observed activity concentrated on gaming and financial services targets, the kinds of sites that combine high transaction volume with rich user databases and tend to favor PostgreSQL backends. That last detail matters because attackers appear to be specifically tailoring their payloads for PostgreSQL-backed Drupal deployments, which suggests at least some of the threat actors have done their homework on the underlying bug class.

The mechanics of the vulnerability come down to how the database abstraction API handles certain crafted input when constructing queries. Drupal's query builder is normally one of the safer ORMs in PHP land, with parameterized queries baked into the design philosophy. The bug appears to be in an edge case where input flows through a code path that bypasses normal sanitization, allowing an attacker to inject arbitrary SQL fragments. The path from SQL injection to remote code execution in Drupal is well-trodden, typically through writing to the cache_config table or abusing the menu system to register a malicious route. Once an attacker has SQL write access to a Drupal site's database, achieving code execution is largely an exercise in patience.

CISA's binding operational directive gives Federal Civilian Executive Branch agencies until May 27, 2026 to patch or mitigate, but the deadline matters less than the signal. KEV additions are not theoretical. CISA only adds vulnerabilities to that catalog when it has reliable evidence of active exploitation in the wild, which means if your Drupal site is exposed to the internet and unpatched, the question is not whether someone will scan you but whether they already have.

For defenders, the patch is the first and only real fix. There is no clean workaround that does not break legitimate functionality, because the affected code is core to how Drupal interacts with its database on essentially every request. Web application firewall rules can buy a little breathing room by blocking obvious SQL injection patterns at the perimeter, and Imperva, Cloudflare, and Akamai have all published virtual patches that customers can enable. Those rules are stopgaps, not solutions. They will catch generic exploit traffic but will not necessarily defeat a determined attacker who tailors payloads to evade signature-based detection.

Detection is the other half of the equation. Anyone running Drupal should be scrutinizing webserver and application logs for unusual query parameters, particularly those containing SQL keywords like UNION, SELECT, or CONCAT in places they have no business appearing. Database logs showing unexpected queries against system tables or the users_field_data table deserve immediate attention. If you have application-layer monitoring on your Drupal stack, now is the time to actually look at the alerts your tools are generating rather than letting them accumulate in a dashboard nobody opens. Imperva's published indicators of compromise include several user-agent strings and request patterns associated with the current wave of probing, and those make reasonable starting points for hunting in existing log data.

Sites that find evidence of exploitation should assume database compromise as a baseline. That means rotating any credentials stored in the affected database, reviewing user accounts for unexpected administrators, and auditing any content or configuration changes made during the exposure window. Drupal's audit log capabilities are limited out of the box, so reconstructing what an attacker did often requires correlating database backups with webserver logs and hoping the operator was paranoid enough to keep both for long enough.

For anyone with longer memory in this space, the current situation echoes the original Drupalgeddon disclosure from 2014 and the Drupalgeddon2 sequel in 2018, both of which produced sustained exploitation campaigns that delivered cryptominers, webshells, and ransomware to thousands of unpatched sites. CVE-2026-9082 has not yet reached that level of weaponization, but the early indicators look familiar. Mass scanning is already in progress. Exploit code has been circulating in private channels since the patch dropped, and public proof of concept publication is generally a matter of days rather than weeks once researchers begin reverse engineering the official fix. Any defender who lived through the previous Drupal mass-exploitation events should recognize the pattern and act accordingly.

Hunting for post-exploitation activity requires a slightly different lens than blocking the initial injection. Common follow-on behaviors include the creation of new user accounts with administrative roles, modifications to the file_managed table that point to attacker-controlled paths, and additions to the menu_router table that register endpoints serving PHP code from unexpected locations. Reviewing recent changes to sites/default/files for new PHP files, particularly those with names that look randomly generated or that mimic legitimate Drupal core filenames, is another high-signal check. Any Drupal site that suddenly starts making outbound connections to unfamiliar hosts, especially over non-standard ports, deserves immediate investigation regardless of whether obvious injection attempts appear in the logs.

The disclosure itself came through Drupal's coordinated security process rather than independent researcher publication, which is the one bit of good news in this story. That means the patches were ready before the public knew the bug existed, and operators who keep their Drupal installations on automatic security updates or who watch the security mailing list closely had the protection available before exploitation began. The operators getting hit right now are the ones who treat patching as a quarterly exercise or who have no monitoring on their CMS at all. That demographic, unfortunately, includes a substantial chunk of the long tail of Drupal sites that get deployed once and then largely forgotten until something breaks.

The broader lesson here is one the industry keeps relearning. Patch availability is not patch deployment, and the gap between the two is now small enough that traditional monthly maintenance windows are dangerous. Drupal in particular has a long tail of sites maintained by agencies, freelancers, and internal teams that update on a quarterly cadence at best. Every one of those sites is currently in the window where exploitation is trivial and detection is the operator's only line of defense.

For managed service providers, this is a conversation starter. Customers who run Drupal as part of their public web presence should be hearing from you this week, both with a status update on their current patch level and with a pitch for ongoing managed patching that closes the disclosure-to-deployment gap. The same conversation extends naturally into web application firewall coverage and managed detection services that can actually surface SQL injection attempts in time to matter. Selling reactive incident response to a customer whose Drupal site just got popped is far less profitable than selling the managed services that would have prevented it.