CISA Warns of Active Exploitation of Drupal Vulnerability CVE-2026-9082
The U.S. Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch a highly critical Drupal vulnerability tracked as CVE-2026-9082 after the flaw was confirmed to be actively exploited in the wild.
The vulnerability affects Drupal’s database abstraction API and was discovered by Google Mandiant researcher Michael Maturi. According to security advisories, the flaw allows unauthenticated attackers to trigger arbitrary SQL injection attacks against PostgreSQL-powered Drupal sites through specially crafted requests.
Successful exploitation could lead to information disclosure, privilege escalation, and potentially remote code execution on affected systems. The Drupal security team classified the issue as “highly critical” before releasing security patches and confirming ongoing exploitation attempts.
On Friday, CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities Catalog and directed Federal Civilian Executive Branch agencies to secure affected systems by midnight on Wednesday, 27 May 2026, under Binding Operational Directive 22-01.
Although the directive formally applies only to U.S. federal agencies, CISA urged private-sector organisations and other defenders to prioritise remediation efforts. The agency warned that vulnerabilities of this type are commonly used by threat actors and pose significant risks to enterprise infrastructure.
Cybersecurity company Imperva reported on 21 May that it had observed more than 15,000 attack attempts targeting nearly 6,000 Drupal sites across 65 countries since public disclosure of the vulnerability. According to the company, gaming and financial services organisations accounted for almost half of observed attacks.
Internet monitoring organisation Shadowserver currently tracks nearly 670 unpatched Drupal instances exposed online, with the highest concentrations located in North America and Europe.
Drupal is widely used by governments, universities, media organisations, and enterprises managing large-scale content infrastructure and multisite deployments, increasing the potential impact of large-scale exploitation attempts.
CISA advised organisations to apply vendor-provided mitigations immediately, follow applicable cloud guidance under Binding Operational Directive 22-01, or discontinue use of affected systems if mitigations are unavailable.
