Home · Live brief · Daily brief 2026-05-23
Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"
Entities: NCSC-CH
Part of run 2026-05-23-852c21c8 (intel · Claude Opus 4.7)
UPDATE — originally covered Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only (2026-05-21)
UPDATE (originally covered 2026-05-21): On 2026-05-22 Drupal updated SA-CORE-2026-004 to confirm that exploit attempts targeting CVE-2026-9082 — the anonymous pre-authentication SQL injection in the Entity Query API's PostgreSQL path — are now being detected in the wild. NCSC.ch updated Security Hub post 12584 to "Actively exploited" status the same day at 13:52Z, also recording the addition of CVE-2026-9082 to the CISA Known Exploited Vulnerabilities catalog on 2026-05-22 (the NCSC-CH post is the brief's source of record on the KEV add; the CISA news-events alert URL constructed earlier in the day returned a 404 at composition time).
Imperva reports observing 15,000+ exploitation attempts against approximately 6,000 Drupal sites across 65 countries within days of disclosure (Imperva, 2026-05-21). The technical mechanism (now public via the Searchlight Cyber write-up): on the case-insensitive IN operator path through core/lib/Drupal/Core/Entity/Query/Sql/Condition::compile() / ConditionAggregate::compile(), a JSON-encoded array value survives into the SQL placeholder name without sanitisation, allowing injection when the backend is PostgreSQL. Fixed versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 and 11.3.10; best-effort patches for EOL Drupal 8.9 and 9 are also available. MySQL/MariaDB/SQLite-backed Drupal sites remain unaffected, which is the temporary control to fall back on if the patch window slips past today.
Defender vantage update from yesterday's brief: the operational frame is no longer "patch when convenient" but patch today — the § 0 Immediate Action carries the operational framing; this UPDATE captures the source-of-record links and the technical mechanism for anyone composing internal advisories or hunt queries. CH/EU specifics: NCSC.ch Security Hub is the authoritative jurisdictional source for Swiss federal and cantonal operators; Drupal-on-PostgreSQL is widespread across FITKO and SWITCH-hosted university sites, French gouvernement.fr instances and EU institution portals. Detection: WAF telemetry for nested JSON arrays in user-supplied fields hitting Drupal endpoints; PostgreSQL log_min_duration_statement to surface anomalous query shapes; web-server logs for unexpected POST payloads to anonymous routes.
“Drupal confirmed: exploit attempts are now being detected in the wild” — BleepingComputer
“Current exploitation status: Actively exploited” — NCSC.ch Security Hub
“Imperva sees more than 15,000 exploit attempts against around 6,000 Drupal websites in 65 countries” — Imperva
Action items
- Patch Drupal CVE-2026-9082 today on every PostgreSQL-backed Drupal deployment — pre-auth SQL injection, active exploitation, 15,000+ attempts measured by Imperva, NCSC.ch status "Actively exploited". Target versions: 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 per Drupal SA-CORE-2026-004. MySQL/MariaDB/SQLite backends are unaffected — if patching slips, swap the backend as a temporary control.