Drupal Core CVE-2026-9082: KEV SQL Injection Exposure

Suspected
Discovered May 26, 2026

CISA added Drupal Core CVE-2026-9082 to KEV on 2026-05-22. The exploitable surface is PostgreSQL-backed Drupal Core in affected 8.9.x, 10.x, and 11.x ranges; this article provides composer, settings, and telemetry scripts for exposure and closure.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-9082 to KEV on 2026-05-22 with a due date of 2026-05-27 CISA KEV opens in a new tab. Drupal's advisory maps the vulnerable surface to Drupal Core's database abstraction API when object input reaches multi-value IN conditions, with PostgreSQL-backed deployments the relevant database scope Drupal opens in a new tab.

Drupal updated its advisory on 2026-05-22 at 04:30 UTC to state that exploit attempts were being detected in the wild, and CISA added the issue to KEV the same day Drupal opens in a new tab CISA KEV opens in a new tab. Public primary sources do not establish a pre-disclosure exploitation start time.

Key Facts

Cve: CVE-2026-9082

Vendor: Drupal

Product: Core

Kev Added: 2026-05-22

Kev Due: 2026-05-27

Kev Catalog Version: 2026.05.22

Vulnerability: SQL injection in Drupal Core database abstraction API

Cwe:

  • CWE-89

Database Scope: PostgreSQL-backed Drupal Core deployments

Affected Versions:

  • 8.9.0 <= Drupal < 10.4.10
  • 10.5.0 <= Drupal < 10.5.10
  • 10.6.0 <= Drupal < 10.6.9
  • 11.0.0 <= Drupal < 11.1.10
  • 11.2.0 <= Drupal < 11.2.12
  • 11.3.0 <= Drupal < 11.3.10

Fixed Versions:

  • 10.4.10
  • 10.5.10
  • 10.6.9
  • 11.1.10
  • 11.2.12
  • 11.3.10

Nvd Cvss V31: 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitation Status: cisa_kev_exploited

Zero Day Status: unproven_from_public_primary_sources

Last Verified: 2026-06-10

Evidence Assessment

  • confirmed: CISA KEV lists CVE-2026-9082 as a known exploited vulnerability added on 2026-05-22 CISA KEV opens in a new tab.
  • confirmed: Drupal SA-CORE-2026-004 lists the affected Core version ranges and fixed releases Drupal opens in a new tab.
  • confirmed: Drupal updated the advisory on 2026-05-22 at 04:30 UTC because exploit attempts were being detected in the wild Drupal opens in a new tab.
  • confirmed: NVD lists CWE-89 and CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N for CVE-2026-9082 NVD opens in a new tab.
  • unclear: Public primary sources do not provide a universal vulnerable route or a verified pre-patch exploitation start time.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
Confirmed compromiseDrupal telemetry, database telemetry, or host telemetry shows exploitation selectors tied to a vulnerable PostgreSQL-backed Drupal Core version.Affected Drupal version, PostgreSQL driver evidence, timestamped telemetry line, and host/site identity.Preserve Drupal files, database audit output, and web/proxy telemetry for the affected site.Fixed Drupal Core version is installed and downstream audit script has no unexplained privileged account, file-write, or database activity.
Presumed exposedDrupal Core is in an affected range and the site uses PostgreSQL.composer.lock or composer show output plus settings evidence for pgsql or PostgreSQL.Treat the site as exposed until fixed-version verification succeeds.Script output shows a listed fixed release or an unaffected non-PostgreSQL deployment.
Potentially exposedDrupal Core appears in source, lockfiles, CMDB, or scanner exports, but version or database driver is missing.Repository, asset, scanner, or deployment evidence naming drupal/core or CVE-2026-9082.Collect version and database driver evidence.Asset resolves to confirmed compromise, presumed exposed, not exposed, or unknown.
Not exposedNo Drupal Core selector, affected version, PostgreSQL selector, or CVE-2026-9082 scanner row appears in complete asset exports.Negative outputs from repository and scanner scripts.None for this CVE.Evidence bundle covers production, staging, CI images, and source lockfiles.
UnknownVersion, database driver, or telemetry exports are unavailable.Gap statement naming the unavailable inventory or telemetry.Keep internet-facing Drupal assets in scope until the missing evidence is recovered.Evidence is recovered or the risk owner accepts the named gap.

What Happened

The vulnerability is in Drupal Core's database abstraction behavior, not in a single universal URL path. The useful scoping anchors are exact Core versions, PostgreSQL use, the SA-CORE-2026-004 advisory ID, and scanner rows for CVE-2026-9082.

Technical Analysis

The likely enterprise failure mode is an affected drupal/core package in a production or staging site backed by PostgreSQL. Drupal's advisory also calls out contributed or custom code paths that pass untrusted object data into multi-value IN conditions. The scripts below do not attempt exploit reproduction; they classify inventory, database driver evidence, and post-exposure artifacts. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • drupal/core
  • Drupal Core
  • SA-CORE-2026-004
  • CVE-2026-9082
  • pgsql
  • PostgreSQL

Highest Value Assets:

  • internet-facing Drupal sites using PostgreSQL
  • Drupal deployments with custom or contributed modules using database abstraction API IN conditions
  • CI images and deployment artifacts containing affected drupal/core versions

Credentials And Data At Risk:

  • Drupal administrative sessions
  • Drupal user records and roles
  • PostgreSQL data reachable by the Drupal application account
  • webroot files writable by the Drupal runtime user

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Remediation and Closure

The following Python script is provided to scan, verify, or query the system telemetry:

#!/usr/bin/env python3
import json
import os
import re
import sys
from pathlib import Path

ROOT = Path(os.environ.get("ROOT", sys.argv[1] if len(sys.argv) > 1 else ".")).resolve()
OUT = Path(os.environ.get("OUT", "hp-drupal-cve-2026-9082-closure")).resolve()
CVE = "CVE-2026-9082"
FIXED = ["10.4.10", "10.5.10", "10.6.9", "11.1.10", "11.2.12", "11.3.10"]
SOURCE = "https://www.drupal.org/sa-core-2026-004"

def vt(value):
    return tuple(int(x) for x in re.findall(r"\d+", str(value))[:4])

def lt(left, right):
    l, r = vt(left), vt(right)
    width = max(len(l), len(r), 1)
    return l + (0,) * (width - len(l)) < r + (0,) * (width - len(r))

def ge(left, right):
    return not lt(left, right)

def fixed_or_unaffected(version):
    if version.startswith("7."):
        return True
    affected_ranges = [
        ("8.9.0", "10.4.10"),
        ("10.5.0", "10.5.10"),
        ("10.6.0", "10.6.9"),
        ("11.0.0", "11.1.10"),
        ("11.2.0", "11.2.12"),
        ("11.3.0", "11.3.10"),
    ]
    return not any(ge(version, start) and lt(version, end) for start, end in affected_ranges)

OUT.mkdir(parents=True, exist_ok=True)
results = []
for lockfile in ROOT.rglob("composer.lock"):
    data = json.loads(lockfile.read_text(encoding="utf-8", errors="ignore"))
    for package in data.get("packages", []) + data.get("packages-dev", []):
        if package.get("name") == "drupal/core":
            version = str(package.get("version", "")).lstrip("v")
            results.append({
                "cve": CVE,
                "source": SOURCE,
                "file": str(lockfile),
                "installed_version": version,
                "accepted_fixed_versions": FIXED,
                "fixed_or_unaffected": fixed_or_unaffected(version),
            })

(OUT / "drupal-cve-2026-9082-patch-verification.json").write_text(json.dumps(results, indent=2, sort_keys=True), encoding="utf-8")

# Remediation trigger: fixed_or_unaffected false for any PostgreSQL-backed Drupal Core deployment keeps the site open for CVE-2026-9082.
print(json.dumps({"out": str(OUT), "checked": len(results), "not_closed": [r for r in results if not r["fixed_or_unaffected"]]}, indent=2))

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 26, 2026DiscoveryDiscovery recorded for Drupal Core CVE-2026-9082: KEV SQL Injection Exposure.drupal.org
May 26, 2026First seenFirst seen recorded for Drupal Core CVE-2026-9082: KEV SQL Injection Exposure.drupal.org
May 26, 2026DisclosureDisclosure recorded for Drupal Core CVE-2026-9082: KEV SQL Injection Exposure.drupal.org
May 26, 2026Drupal Core CVE-2026-9082: KEV SQL Injection ExposureUnknowndrupal.org

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Drupal Core CVE-2026-9082: KEV SQL Injection Exposure?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabdrupal.org

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Drupal Core CVE-2026-9082: KEV SQL Injection Exposure?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-drupal-core-cve-2026-9082-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
drupal.orgSecurity Researcher95%1CISA added Drupal Core CVE-2026-9082 to KEV on 2026-05-22. The exploitable surface is PostgreSQL-backed Drupal Core in affected 8.9.x, 10.x, and 11.x ranges; this article provides composer, settings, and telemetry scripts for exposure and closure.
nvd.nist.govSecurity Researcher95%1CISA added Drupal Core CVE-2026-9082 to KEV on 2026-05-22. The exploitable surface is PostgreSQL-backed Drupal Core in affected 8.9.x, 10.x, and 11.x ranges; this article provides composer, settings, and telemetry scripts for exposure and closure.
cisa.govSecurity Researcher95%1CISA added Drupal Core CVE-2026-9082 to KEV on 2026-05-22. The exploitable surface is PostgreSQL-backed Drupal Core in affected 8.9.x, 10.x, and 11.x ranges; this article provides composer, settings, and telemetry scripts for exposure and closure.
Drupal Core CVE-2026-9082: KEV SQL Injection Exposure — Halting Problems