The U.S. Cybersecurity and Infrastructure Security Agency has ordered federal agencies to secure their servers against a serious SQL injection vulnerability in the Drupal content management system that is already being exploited in attacks.

The vulnerability is tracked as CVE-2026-9082 and affects Drupal’s database abstraction API. It was discovered by Google/Mandiant researcher Michael Maturi and can be exploited without authentication on Drupal websites using PostgreSQL.

Drupal is widely used by large organizations that manage complex websites, multi-site platforms and large data structures. Its users often include government agencies, universities, research institutions, media companies and major enterprises, making the flaw especially concerning.

According to Drupal’s security team, attackers can exploit the vulnerability by sending specially crafted requests to vulnerable sites. Successful exploitation may allow arbitrary SQL injection, which could lead to information disclosure, privilege escalation and, in some cases, remote code execution.

The Drupal security team rated the issue as “highly critical” before releasing patches and later confirmed that exploitation attempts had been seen in the wild.

Security monitoring group Shadowserver is currently tracking nearly 670 unpatched Drupal installations exposed to the internet. Most of the vulnerable systems are located in North America and Europe.

On Friday, CISA added the Drupal vulnerability to its Known Exploited Vulnerabilities Catalog. The agency also instructed Federal Civilian Executive Branch agencies to apply patches or mitigations by midnight on Wednesday, May 27, under Binding Operational Directive 22-01.

READ
Hackers Begin Exploiting Critical Adobe ColdFusion Flaw Just Hours After Patch Release

Although the directive applies only to U.S. federal agencies, CISA urged all organizations to treat the issue as urgent and patch affected Drupal systems as soon as possible.


Buy ExpressVPN with PayPal or Credit Card

CISA warned that vulnerabilities of this type are frequently targeted by malicious hackers and pose a serious risk to government and private-sector networks. The agency advised organizations to follow Drupal’s vendor instructions, apply available mitigations, follow cloud service guidance where relevant, or stop using the affected product if no fix is available.

Advertisement