CVE-2026-9082: Drupal Core SQL Injection Enables Privilege Escalation and RCE

"A SQL injection flaw in Drupal Core's database abstraction API can be triggered by unauthenticated, network-based requests and has been added to CISA's Known Exploited Vulnerabilities catalog with a five-day remediation…"

A SQL injection flaw in Drupal Core's database abstraction API can be triggered by unauthenticated, network-based requests and has been added to CISA's Known Exploited Vulnerabilities catalog with a five-day remediation window.

What Is It

CVE-2026-9082 is an improper neutralization of special elements used in an SQL command (CWE-89) affecting Drupal Core. According to CISA, specially crafted requests sent through the database abstraction API can be abused for SQL injection, leading to privilege escalation and remote code execution. The NVD assigns a CVSS 3.1 base score of 6.5 (Medium) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, meaning the issue is network-reachable, requires no privileges, and needs no user interaction.

Why It Matters

CISA added CVE-2026-9082 to the KEV catalog on 2026-05-22 with a due date of 2026-05-27, giving federal agencies just five days to remediate. While KEV lists known ransomware campaign use as "Unknown," inclusion in KEV itself signals confirmed active exploitation in the wild. Drupal powers a large share of public-facing government, education, and enterprise CMS deployments, and the database abstraction API is core to virtually every Drupal site; making the exposed attack surface broad. The vendor-described escalation path from SQLi to privilege escalation and RCE makes the practical impact materially higher than the 6.5 base score alone suggests.

What's Vulnerable

Per the NVD record, the flaw affects multiple supported branches of Drupal Core. The version ranges as published in the NVD entry are reproduced below; operators should consult the NVD record and Drupal's advisory directly to confirm the exact fixed release for their installed branch:

10.4.0 before 10.4.10
10.5.0 before 10.5.10
10.6.0 before 10.6.9
11.0.0 before 11.1.10
11.2.0 before 11.2.12
11.3.0 before 11.3.10

The vulnerability resides in Drupal Core itself, not in a contributed module.

Patch Status

Fixed releases are available in the versions listed above (10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10). CISA's required action is to apply mitigations per the vendor's instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Operators of in-scope Drupal sites should upgrade to a patched branch release before the 2026-05-27 KEV due date.

Sources

CISA KEV Catalog Entry; CVE-2026-9082
Drupal Security Advisory SA-CORE-2026-004; https://www.drupal.org/sa-core-2026-004
NVD, CVE-2026-9082, https://nvd.nist.gov/vuln/detail/CVE-2026-9082