Miggo Reports 51-Minute AI Exploit Test for Drupal CVE-2026-9082

Security researchers at Miggo Security reported that they generated a proof-of-concept exploit for Drupal vulnerability CVE-2026-9082 within 51 minutes of detecting the public patch using Claude, Anthropic’s large language model. The exercise examined how quickly publicly available patch information could be analysed and converted into exploit logic after the release of SA-CORE-2026-004 on 20 May 2026.

The finding adds a new dimension to the response surrounding CVE-2026-9082, which The Drop Times previously covered after its disclosure and later inclusion in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalogue. Earlier reports focused on the vulnerability, the official Drupal advisory, and exploitation activity. Miggo’s study focused on the speed of exploit development after a security fix becomes public.

In a report titled The Death of Patch-First: Exploiting and Mitigating Drupal CVE-2026-9082 Under 60 Minutes, Miggo researchers Eliana Vuijsje and Roy Cohen described a controlled exercise using Claude. According to the report, the team monitored the Drupal release window, identified the relevant patch, set up a vulnerable Drupal instance, and generated a working proof-of-concept exploit. Miggo said the process cost less than US$10 in Claude tokens.

Miggo’s timeline states that the patch was detected at 5:12 UTC on 20 May 2026 and that the team had a functional exploit by 6:03 UTC. The company said the process was not fully automated, noting that human guidance was required to resolve issues in the exploit path. The report argues that large language models can reduce the time needed to analyse security patches after disclosure.

CVE-2026-9082 is an unauthenticated SQL injection vulnerability affecting Drupal sites that use PostgreSQL. The Drupal Security Team addressed the issue through SA-CORE-2026-004 and rated it “Highly Critical.” The advisory states that successful exploitation could lead to information disclosure and, in some cases, privilege escalation, remote code execution, or other attacks.

The study appeared amid broader activity surrounding the vulnerability. Imperva reported more than 15,000 exploitation attempts targeting almost 6,000 Drupal sites across 65 countries after CVE-2026-9082 became public. The company said observed activity focused heavily on gaming and financial services sites.

Additional security reporting indicated that reconnaissance and proof-of-concept activity followed soon after the Drupal advisory became public. CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalogue based on evidence of active exploitation. U.S. federal civilian agencies were directed to apply mitigations by 27 May 2026.

Miggo’s exercise does not document a real-world compromise. Its editorial value lies in the measurable interval between public patch availability and working exploit generation. Viewed alongside scanning activity, confirmed exploitation attempts, and the KEV listing, the study reinforces the operational risk of long patch testing and deployment cycles for high-impact application vulnerabilities.