Background
Drupal powers millions of websites worldwide, including government portals, financial platforms, media outlets, and enterprise CMS deployments. On May 20, 2026, the Drupal Security Team published SA-CORE-2026-004, disclosing a highly critical SQL injection vulnerability in Drupal core affecting sites running a PostgreSQL database backend. The flaw, tracked as CVE-2026-9082, requires no authentication and can be triggered remotely through publicly reachable Drupal endpoints.
Within 48 hours of the patch release, CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV)catalog, while threat intelligence from Imperva recorded more than 15,000 exploitation attempts targeting nearly 6,000 individual sites across 65 countries.
Root Cause
The vulnerability exists in Drupal’s PostgreSQL-specific query handling logic. Under certain conditions, Drupal improperly processes attacker-controlled input while constructing database queries. This flaw allows malicious users to interfere with how SQL queries are interpreted by PostgreSQL, resulting in a classic SQL injection vulnerability.
Importantly, the issue only affects Drupal deployments using PostgreSQL. Sites running MySQL, MariaDB, or SQLite are not impacted because the vulnerable code path is specific to Drupal’s PostgreSQL implementation.
Two Independent Attack Vectors
Researchers identified two separate unauthenticated paths that can trigger the vulnerability.
1- GET /jsonapi/node/<type>?filter[…][value][<KEY>]=x
2- POST /user/login?_format=json
The first vector requires JSON:API to be enabled (enabled by default on Drupal 9+) and at least one content node of the targeted type to exist.
The second vector targets Drupal’s login endpoint and does not require existing site content. It may work even on fresh Drupal installations. Researchers demonstrated that attackers could use differences in server responses to confirm the vulnerability and potentially extract sensitive information from the database.
Successful exploitation may allow attackers to:
- Confirm vulnerable PostgreSQL-backed Drupal deployments
- Extract administrator usernames and password hashes
- Access sensitive application data
- Manipulate session or authentication-related information
- Potentially gain administrative control of the site
Detection with RidgeBot
RidgeBot automatically detects CVE-2026-9082 without requiring manual configuration.
Remediation
Patch immediately. Updating Drupal core is the only complete remediation.
| Action | Detail |
| Update Drupal core | Apply the patched version for your supported branch |
| Verify your database backend | Confirm whether PostgreSQL is in use |
| Review logs for suspicious activity | Watch for unusual requests to /jsonapi/ or /user/login?_format=json |
| Deploy WAF protections | Block suspicious SQL-related request patterns |
| Monitor authentication-related errors | Repeated server errors may indicate exploitation attempts |
Summary
CVE-2026-9082 is a highly dangerous unauthenticated SQL injection vulnerability affecting PostgreSQL-backed Drupal deployments. The combination of public exploit availability, active exploitation, and internet-exposed attack surfaces makes this an urgent patching priority for affected organizations.
With active exploitation already underway and CISA KEV inclusion confirmed, organizations running PostgreSQL-backed Drupal deployments should treat this vulnerability as an immediate priority. Patch affected systems, validate exposure, and closely monitor for exploitation activity.
RidgeBot provides automated detection coverage for CVE-2026-9082. To validate your Drupal deployments, request a demo.