F5 Labs Details Drupal CVE-2026-9082 Scanning Patterns

Sensor data published by F5 Labs adds a traffic-level view of CVE-2026-9082 exploitation attempts by focusing on how scanners probed Drupal JSON:API endpoints after disclosure. The report by F5 threat researcher Adam Metcalfe-Pearce says the company’s sensors recorded 576 attempts from nine source IPs between 20 May and 31 May 2026, with the first matching activity appearing on 22 May 2026.

The report’s useful detail is the observed scanning workflow. F5 Labs says requests rotated through common node content endpoints, including /jsonapi/node/article, /jsonapi/node/page, and /jsonapi/node/basic_page. The activity used the correct Accept: application/vnd.api+json header and tested boolean and time-based blind SQL injection conditions rather than sending generic probes.

F5 Labs also describes web application firewall evasion signals such as comment-based spacing, nested parentheses, PostgreSQL-specific casting, and use of pg_sleep(). The report characterises the activity as early-stage but purpose-built Drupal scanning because the nine source IPs shared similar request patterns and did not target other application types in F5’s sensor view. Its defensive advice centres on checking JSON:API access logs, reviewing public access to JSON:API, and using behaviour-based detection rather than static blocking alone.