thehackernews.com web signal

Drupal SQL flaw exploited at 15,000 sites in 48 hours

cybersecurity cybersecurity supply-chain exploitation

Key insights

  • CVE-2026-9082 allows unauthenticated SQL injection on all PostgreSQL-backed Drupal sites, with potential for remote code execution.
  • CISA added the flaw to KEV within 48 hours of the patch, with 15,000 attacks observed across 6,000 sites in 65 countries.
  • Federal agencies must patch by May 27 under BOD 22-01; all Drupal PostgreSQL operators are urged to update immediately.

Why this matters

The sub-48-hour patch-to-exploitation timeline for a widely deployed open-source CMS signals that automated vulnerability scanning and exploit deployment pipelines are now fast enough to outpace most enterprise patch cycles, forcing security teams to treat 'patch Tuesday' cadences as dangerously slow. For AI practitioners and technical leaders building on open-source infrastructure stacks, this reinforces that CMS and database abstraction layers in production environments are high-value attack surfaces often overlooked in AI application security reviews. CISA's near-immediate KEV listing also creates legal and contractual exposure for federal contractors and regulated-industry operators who have not patched by May 27, expanding the blast radius well beyond Drupal's direct user base.

Summary

CISA added Drupal's CVE-2026-9082 to its Known Exploited Vulnerabilities catalog on May 22, less than 48 hours after the patch dropped, marking one of the fastest KEV additions in recent memory. The flaw is an unauthenticated SQL injection in Drupal's database abstraction layer, affecting every PostgreSQL-backed Drupal installation. Attackers don't need credentials to trigger it, and depending on server configuration it can escalate from data disclosure all the way to remote code execution. Over 15,000 attack attempts hit roughly 6,000 sites across 65 countries before most administrators had even read the advisory. Essentially: (Drupal, CISA) are in a race against a globally distributed exploitation wave that started before most operators could act. - Federal agencies face a hard patch deadline of May 27 under CISA's BOD 22-01 directive. - All PostgreSQL-backed Drupal sites are affected regardless of version; MySQL-backed deployments are not vulnerable to this specific vector. - The 48-hour window from patch to KEV listing signals CISA observed confirmed in-the-wild exploitation almost immediately. The broader pattern here is that the window between public patch and mass exploitation has collapsed to hours, not days, which changes what 'adequate patch response time' means for any organization running open-source CMS infrastructure.

Potential risks and opportunities

Risks

  • Government contractors running Drupal on PostgreSQL who miss the May 27 CISA deadline face potential contract suspension or audit findings under FISMA and BOD 22-01 compliance frameworks.
  • Organizations that were actively exploited before patching face undisclosed data exposure windows, with privilege escalation paths potentially leaving backdoors that survive the patch itself.
  • Drupal's broader adoption in higher education and NGO sectors, where patch cycles are slow and IT resources thin, means a long tail of vulnerable sites likely remains unpatched well past the federal deadline.

Opportunities

  • Web application firewall vendors (Cloudflare, Fastly, Imperva) can accelerate enterprise deals by demonstrating virtual patching rules already blocking CVE-2026-9082 exploit patterns before infrastructure patches are applied.
  • Managed Drupal hosting platforms (Acquia, Pantheon) that auto-patched customer environments within the 48-hour window have a concrete competitive differentiator to market against self-hosted deployments.
  • Vulnerability management and exposure prioritization vendors (Tenable, Rapid7, Wiz) benefit from using this incident as a reference case for runtime prioritization products that flag KEV-listed CVEs ahead of standard patch queues.

What we don't know yet

  • Attribution of the attack wave is unconfirmed in public reporting as of May 23, with no threat actor group or nation-state link identified.
  • Whether Drupal MySQL-backed installations share any partial exposure through related database abstraction code paths has not been publicly addressed by the Drupal Security Team.
  • The extent to which managed Drupal hosting providers (Acquia, Pantheon) have auto-applied the patch for customers by the May 27 deadline has not been disclosed.

Originally reported by thehackernews.com

Read the original article →

Original headline: r/cybersecurity: Drupal Core SQL Injection CVE-2026-9082 Actively Exploited Within 48 Hours of Patch — CISA KEV, 15,000 Attacks Across 6,000 Sites in 65 Countries