CVE-2026-9082: Drupal Core SQL Injection Bug Added to CISA KEV

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-9082 — a critical-severity SQL injection vulnerability in Drupal Core — to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The flaw, which carries a CVSS score of 6.5, affects all supported versions of Drupal Core. Federal civilian executive branch agencies are required to apply the vendor-supplied patch by June 12, 2026, under Binding Operational Directive (BOD) 22-01. Organizations running Drupal should treat this as a high-priority remediation target.

Technical Analysis

CVE-2026-9082 is an SQL injection vulnerability residing in Drupal Core's database abstraction layer. According to the Drupal Security Team advisory, the flaw allows an attacker to inject arbitrary SQL queries through crafted input passed to certain database API functions. The vulnerability exists because user-supplied data is not properly sanitized before being incorporated into SQL statements, enabling an unauthenticated remote attacker to execute arbitrary SQL commands against the underlying database.

The Drupal project released a security update on May 20, 2026, covering Drupal 7.x, 9.x, 10.x, and 11.x. The patch modifies the database abstraction layer to enforce parameterized queries, effectively neutralizing the injection vector. The advisory notes that sites running Drupal 7 with contributed modules that directly call db_query() or similar functions may require additional updates, as the core patch only addresses the vulnerability in the standard API.

CISA's addition to the KEV catalog on May 22, 2026, followed reports of active exploitation targeting unpatched Drupal instances. The agency did not disclose specific threat actor attribution or campaign details, but the inclusion signals that exploitation is widespread enough to warrant mandatory federal action. The Hacker News reported that the vulnerability was initially discovered by a member of the Drupal Security Team during internal code review, and no public proof-of-concept exploit was released prior to the patch.

Mitigations & Recommendations

Defenders should immediately apply the Drupal core security update released on May 20, 2026. The update is available through the Drupal project's official release channels and can be installed via the standard update mechanism. Sites running Drupal 7 should verify compatibility with contributed modules before applying the patch, as the core fix may introduce breaking changes for custom database queries.

For organizations unable to patch immediately, network-layer mitigations should be prioritized. Web application firewalls (WAFs) can be configured with rules to block SQL injection patterns targeting Drupal endpoints. Additionally, database accounts used by Drupal should be restricted to the minimum necessary privileges — specifically, the SELECT, INSERT, UPDATE, and DELETE permissions on the Drupal database, with CREATE and ALTER privileges removed unless required for module installation. Monitoring database query logs for anomalous UNION, SELECT *, or OR 1=1 patterns can aid in detecting exploitation attempts.

Federal agencies subject to BOD 22-01 must remediate by June 12, 2026. All other organizations should treat this as a critical patch cycle, given the confirmed active exploitation and the potential for data exfiltration or database compromise.