Entries about Drupal core highly-critical pre-auth SQL injection in database abstraction API on PostgreSQL backends; CISA KEV-listed 2026-05-22 (SA-CORE-2026-004) (4)
criticalvulnerabilitydiscovered 2026-05-23 05:00 UTC
On 2026-05-22 Drupal updated SA-CORE-2026-004 to confirm that exploit attempts targeting CVE-2026-9082 — the anonymous pre-authentication SQL injection in the Entity Query API's PostgreSQL path — are now being detected in the wild. NCSC.ch updated Security Hub post 12584 to "Actively exploited" status the same day at 13:52Z, also recording the addition of CVE-2026-9082 to the CISA Known Exploited Vulnerabilities catalog on 2026-05-22 (the NCSC-CH post is the brief's source of record on the KEV add; the CISA news-events alert URL constructed earlier in the day returned a 404 at composition time).
Imperva reports observing 15,000+ exploitation attempts against approximately 6,000 Drupal sites across 65 countries within days of disclosure (Imperva, 2026-05-21). The technical mechanism (now public via the Searchlight Cyber write-up): on the case-insensitive IN operator path through core/lib/Drupal/Core/Entity/Query/Sql/Condition::compile() / ConditionAggregate::compile(), a JSON-encoded array value survives into the SQL placeholder name without sanitisation, allowing injection when the backend is PostgreSQL. Fixed versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 and 11.3.10; best-effort patches for EOL Drupal 8.9 and 9 are also available. MySQL/MariaDB/SQLite-backed Drupal sites remain unaffected, which is the temporary control to fall back on if the patch window slips past today.
Defender vantage update from yesterday's brief: the operational frame is no longer "patch when convenient" but patch today — the § 0 Immediate Action carries the operational framing; this UPDATE captures the source-of-record links and the technical mechanism for anyone composing internal advisories or hunt queries. CH/EU specifics: NCSC.ch Security Hub is the authoritative jurisdictional source for Swiss federal and cantonal operators; Drupal-on-PostgreSQL is widespread across FITKO and SWITCH-hosted university sites, French gouvernement.fr instances and EU institution portals. Detection: WAF telemetry for nested JSON arrays in user-supplied fields hitting Drupal endpoints; PostgreSQL log_min_duration_statement to surface anomalous query shapes; web-server logs for unexpected POST payloads to anonymous routes.
Drupal confirmed: exploit attempts are now being detected in the wild
yesterday's brief carried Drupal's PSA pre-warning that a "highly critical" core advisory was scheduled for 2026-05-20; today the SA-CORE-2026-004 advisory landed with CVE-2026-9082 assigned — an anonymous SQL-injection in Drupal core's database abstraction API (CWE-89) rated 20/25 on Drupal's risk scale (Highly Critical) that affects only PostgreSQL-backed installations. Specially-crafted HTTP requests slip past sanitisation in the core DB-API layer and inject arbitrary SQL with no authentication; successful exploitation leads to information disclosure, privilege escalation and — in some database configurations — RCE. The Drupal Security Team explicitly stated that "exploits might be developed within hours or days" of advisory release (Drupal PSA, 2026-05-18).
Affected versions: 8.9.0 through 10.4.10, 10.5.x < 10.5.10, 10.6.x < 10.6.9, 11.0.0 through 11.1.10, 11.2.x < 11.2.12, 11.3.x < 11.3.10. Patched: 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 (released 2026-05-20). MySQL / MariaDB / SQLite installations are not affected by this CVE. Drupal 7 is unaffected; sites on EOL Drupal 8/9 majors must apply manual patch files. Drupal Steward WAF subscribers receive vendor-provided rules at advisory release per the service description; non-subscriber sites must apply the core update. NCSC-CH carried the advisory in its Security Hub (NCSC-CH, 2026-05-19; SecurityWeek, 2026-05-19; CSO Online, 2026-05-20).
A textbook example of why the weekly lens matters: an item that was a pre-patch warning at the start of the week was confirmed exploited in the wild by its end. Drupal pre-announced an emergency advisory via PSA-2026-05-18 (daily 2026-05-20); SA-CORE-2026-004 shipped the "highly critical" pre-auth SQL injection fix on 2026-05-21; and by 2026-05-23 Drupal had updated the advisory to confirm exploit attempts, CISA had KEV-listed it, and NCSC Switzerland had flipped its Cyber Security Hub post 12584 to "Actively exploited." See § 1 for the operational framing — the trajectory itself is the lesson: a PostgreSQL-backed public-sector Drupal site left unpatched across this one week moved from "watch" to "presumed-targeted."
A textbook example of why the weekly lens matters: an item that was a pre-patch warning at the start of the week was confirmed exploited in the wild by its end.
If you did nothing this week: an internet-exposed Drupal site on PostgreSQL was anonymously SQL-injectable, and exploitation is now confirmed in the wild. Drupal pre-warned an emergency advisory via PSA-2026-05-18, shipped SA-CORE-2026-004 on 2026-05-21, and by 2026-05-23 the advisory was updated to confirm exploit attempts, CISA had KEV-listed it, and NCSC Switzerland flipped its Cyber Security Hub post 12584 to "Actively exploited."
CVE-2026-9082 is a "highly critical" pre-authentication SQL injection in the Drupal core database abstraction layer, exploitable only against PostgreSQL backends. Drupal is widely deployed across Swiss and EU public-administration web estates; the PostgreSQL-only condition narrows but does not eliminate exposure. Apply the SA-CORE-2026-004 fixed core release immediately; if you cannot patch a PostgreSQL-backed Drupal site, take it off the public internet until you can.
If you did nothing this week: an internet-exposed Drupal site on PostgreSQL was anonymously SQL-injectable, and exploitation is now confirmed in the wild.