A recently discovered vulnerability in Drupal Core, tracked as CVE-2026-9082, has been exploited in the wild and added to the United States Cybersecurity and Infrastructure Security Agency’s (CISA) KEV catalog. The vulnerability is an SQL injection flaw, embedded in Drupal’s database abstraction API, which is a layer designed to prevent injection attacks. It enables two separate unauthenticated attack paths via the JSON:API filter syntax and the JSON login endpoint. Exploitation of this flaw requires no credentials, as the attack chain leads from query manipulation to potential remote code execution (RCE).
Who Runs Drupal and Why That Changes the Risk Calculus
The extent and scope of the risk presented by this vulnerability are especially notable due to the types of organizations that tend to run Drupal. Drupal’s deployment profile skews toward high-value institutional targets, including government agencies, universities, financial services, and major media companies. This means that the ability to exploit a flaw in Drupal can grant attackers access to significant volumes of highly sensitive data and systems.
Data exposure in these environments carries regulatory, national security, and reputational consequences well beyond the initial breach. When it comes to government agencies, CISA’s Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate identified flaws within a certain time period. The addition of CVE-2026-9082 to the KEV catalog reflects the government’s recognition of Drupal’s embedded role in federal infrastructure.
From Disclosure to Active Exploitation
The vulnerability was disclosed by Drupal in a security advisory on May 20th; CISA added the flaw to the KEV catalog and issued its patch mandate on the 22nd. After the disclosure, Imperva published a blog post revealing that over 15,000 attack attempts were observed exploiting the vulnerability. These attacks targeted nearly 6,000 individual sites in 65 countries within the first days post-disclosure.
Imperva’s data shows attacks predominantly focused in the United States (61.8%), with much smaller volumes of attacks targeting countries mostly located in Europe and Asia. The sectors most impacted by these attacks are gaming and financial services, comprising a combined total of almost half of the observed attacks, followed by computing and IT, business, and food and beverages. The Shadowserver Foundation is currently tracking over 600 unpatched internet-exposed Drupal installations, primarily located in North America (273) and Europe (250).
What the Attack Traffic Reveals About Adversary Maturity
Certain patterns noted in the observed attacks have implications concerning the actors behind them. Payload patterns were dominated by Nuclei-template scanning, JSON:API filter probing, and time-based PostgreSQL injection. These factors indicate automated, coordinated reconnaissance on the part of the attackers. “Attackers are actively scanning for vulnerable targets right now, and once they find one, the path from initial access to privilege escalation is fast and familiar,” says Shane Barney, Chief Information Security Officer at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software.
The attacks show a shift from initial efforts at opportunistic probing to later attempts with more targeted validation, signaling adversaries' pre-positioning for exploitation rather than immediate impact. The structured attack methodology suggests organized threat actors alongside automated scanner activity, as opposed to simply script-kiddie opportunism.
Why Critical CMS Infrastructure Stays Unpatched
There are a number of factors affecting the speed and effectiveness of patching this vulnerability. Drupal has a patch surface spanning multiple versions, with six distinct version ranges, each requiring separate remediation paths. This creates operational friction for large, multi-site deployment of necessary patches. Government and institutional operators frequently run legacy or heavily customized Drupal builds where patching introduces functional risk, extending the window of time that these instances go unpatched.
The absence of web application firewall (WAF) coverage or runtime monitoring also means that many exposed organizations lack any sort of compensating control while patch deployment cycles run. “The key now is combining accelerated patching with resilience-focused controls such as identity-based microsegmentation, strict least-privilege access, and continuous monitoring to prevent attackers from moving laterally if an initial compromise occurs,” says Louis Eichenbaum, Federal CTO at ColorTokens, a San Jose, Calif.-based provider of Zero Trust microsegmentation solutions.
Closing the Structural Gap
The immediate priority for organizations running Drupal should be to upgrade to a patched version—10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10—and audit their logs for anomalous JSON:API and login endpoint activity. The broader imperative, however, is for organizations to understand that foundational CMS infrastructure requires the same vulnerability management discipline that they apply to firewalls and identity systems. CVE-2026-9082 is a structural argument for continuous monitoring of query-handling layers, not a one-time patching incident to be closed and forgotten.
