Drupal Flaw Draws Urgent Patch Race Arabian Post

(MENAFN- The Arabian Post) clearfix">US cyber authorities have added a critical Drupal Core SQL injection flaw to their exploited-vulnerabilities list after attacks began targeting unpatched websites using PostgreSQL databases, escalating pressure on government agencies, universities, media groups and enterprises that rely on the open-source content management platform.

The vulnerability, tracked as CVE-2026-9082, affects Drupal Core versions from 8.9.0 through several 10. x and 11. x branches before the fixed releases issued on May 20, 2026. The flaw sits in Drupal's database abstraction layer and can be exploited by anonymous users through specially crafted requests. A successful attack could expose sensitive data and, in some configurations, enable privilege escalation, data manipulation or remote code execution.

Drupal maintainers issued patched versions across multiple branches, including 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 and 11.3.10. The advisory was updated on May 22 after exploit attempts were detected in the wild. The US Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalogue the same day and set May 27 as the deadline for federal civilian agencies to apply vendor mitigations or discontinue use where fixes are unavailable.

The flaw is narrower than some previous Drupal crises because it applies only to sites using PostgreSQL as the database backend. Deployments using MySQL, MariaDB or SQLite are not affected by this specific SQL injection path, although the same security releases also carry third-party updates relevant to broader Drupal installations. Drupal 7 is not believed to be affected by this exploit chain.

Security teams are treating the case as urgent because the bug does not require authentication and because technical details emerged quickly after the vendor advisory. Researchers have described the weakness as unusual because it can involve attacker-controlled PHP array keys moving through request handling into PostgreSQL query construction. That makes the flaw different from common SQL injection cases that target parameter values alone.

See also Mythos breach rattles AI safeguards

High-risk exposure is most likely where Drupal is paired with PostgreSQL and modules or routes such as JSON:API, Views exposed filters or entity autocomplete endpoints are enabled. Such configurations can allow crafted web requests to reach vulnerable query-building code. For site owners, the key operational question is therefore not only whether Drupal Core is present, but whether the database backend and application routes create an exploitable path.

Drupal remains widely used across public-sector websites, universities, publishers, charities and large enterprises because of its flexibility, granular permissions model and mature module ecosystem. Those same strengths can complicate emergency patching, particularly where legacy versions, custom modules or complex hosting arrangements slow upgrade cycles. Attackers often move quickly against content management systems because internet-facing installations can be scanned at scale and vulnerable endpoints can be tested automatically.

The latest warning also recalls earlier waves of Drupal exploitation, including the“Drupalgeddon” vulnerabilities that led to mass compromise of unpatched websites. While CVE-2026-9082 is more configuration-specific, the pattern is familiar: a high-impact Core flaw, fast publication of technical analysis, internet-wide scanning and a narrow window for administrators to act before opportunistic exploitation broadens.

Administrators are being urged to upgrade immediately to the fixed Drupal release matching their branch, review server logs for unusual requests, check database integrity, rotate credentials where compromise is suspected and ensure web application firewall rules for SQL injection are active. Security teams should also verify whether any legacy Drupal 8, 9 or retired 10. x and 11. x branches remain in production, as older branches may require exceptional upgrade planning rather than a routine patch.

See also Fake meetings fuel crypto malware raids

The risk is heightened for organisations that expose administrative or content APIs to the public internet, maintain large authenticated user bases or store sensitive records in Drupal-managed databases. Even where remote code execution is not achieved, SQL injection can create serious consequences by allowing data extraction, unauthorised modification or discovery of password hashes and internal identifiers.

MENAFN25052026000152002308ID1111165357