6.5
/ 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Description
**_TL;DR:_**_CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core that can be exploited by unauthenticated users against Drupal sites using PostgreSQL. The vulnerability affects Drupal’s database abstraction API and can allow specially crafted requests to trigger arbitrary SQL injection, potentially leading to information disclosure, privilege escalation, remote code execution, or additional attacks. Drupal released patches across supported versions, and affected organizations should upgrade immediately.**Imperva customers are protected against exploitation attempts associated with CVE-2026-9082.**_
## About CVE-2026-9082
On May 20, 2026, the Drupal Security Team disclosed SA-CORE-2026-004, tracked as CVE-2026-9082. The vulnerability affects Drupal core versions from 8.9.0 before 10.4.10, 10.5.0 before 10.5.10, 10.6.0 before 10.6.9, 11.0.0 before 11.1.10, 11.2.0 before 11.2.12, and 11.3.0 before 11.3.10.
The issue exists in Drupal’s database abstraction API, which is designed to sanitize database queries and prevent SQL injection. According to Drupal, specially crafted requests can result in arbitrary SQL injection on sites using PostgreSQL databases. The vulnerability can be exploited by unauthenticated users and may lead to information disclosure and, in some cases, privilege escalation, remote code execution, or other follow-on attacks.
The vulnerability is specific to PostgreSQL-backed Drupal deployments. The flaw stems from attacker-controlled array keys flowing into SQL placeholder names in Drupal’s PostgreSQL entity query handling. Researchers identified two unauthenticated paths to the vulnerable code: the JSON login endpoint and JSON:API filter syntax.
## What We’ve Seen
Since CVE-2026-9082 was released, Imperva has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries. Attacks are primarily targeting Gaming and Financial Services sites so far, at collectively almost 50% of all attacks.
Most of the observed activity so far appears to be probing. The payloads in the attached Imperva data largely focus on JSON:API routes, particularly /jsonapi/node/article, and use crafted filter parameters designed to test whether a target is vulnerable. Several payloads include Nuclei-style markers such as nuclei_sa_core_2026_004, nuclei-probe, and nuclei-probe-miss, indicating automated scanning and template-based validation activity.
The most common payload patterns include:
* JSON:API filter probes using operator=IN against the title field
* Crafted array keys such as 0), 0)) OR 1=1 -, and _) AND 1=1-
* Time-based SQL injection checks using PostgreSQL functions such as pg_sleep
* UNION-style and syntax-break probes intended to validate error-based SQL injection behavior
This pattern suggests attackers and scanners are primarily attempting to identify exposed Drupal sites running vulnerable PostgreSQL-backed configurations. While the activity is currently dominated by reconnaissance and validation, the nature of the vulnerability means successful exploitation could quickly move from probing to data extraction or privilege escalation.
## Mitigation and Protection
Organizations running Drupal should upgrade immediately to one of the patched versions: **10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10**. Searchlight Cyber also noted that the same Drupal release includes Symfony and Twig security updates, making patching important even for environments not using PostgreSQL.
**Imperva customers with any WAF deployment are protected against exploitation attempts associated with CVE-2026-9082.**
## Bottom Line
CVE-2026-9082 is a high-priority Drupal core vulnerability because it is remotely reachable, exploitable by unauthenticated users, and affects a core query-handling mechanism. Although the vulnerability is limited to PostgreSQL-backed Drupal sites, the widespread use of Drupal and the speed of observed scanning make this an urgent patching priority.
Imperva has already observed broad probing across thousands of sites and dozens of countries. Imperva customers are protected, but organizations should still patch immediately, review logs for suspicious JSON:API and /user/login?_format=json activity, and confirm whether any Drupal deployments use PostgreSQL.
The post Imperva Customers Protected Against CVE-2026-9082 in Drupal Core appeared first on Blog.
## About CVE-2026-9082
On May 20, 2026, the Drupal Security Team disclosed SA-CORE-2026-004, tracked as CVE-2026-9082. The vulnerability affects Drupal core versions from 8.9.0 before 10.4.10, 10.5.0 before 10.5.10, 10.6.0 before 10.6.9, 11.0.0 before 11.1.10, 11.2.0 before 11.2.12, and 11.3.0 before 11.3.10.
The issue exists in Drupal’s database abstraction API, which is designed to sanitize database queries and prevent SQL injection. According to Drupal, specially crafted requests can result in arbitrary SQL injection on sites using PostgreSQL databases. The vulnerability can be exploited by unauthenticated users and may lead to information disclosure and, in some cases, privilege escalation, remote code execution, or other follow-on attacks.
The vulnerability is specific to PostgreSQL-backed Drupal deployments. The flaw stems from attacker-controlled array keys flowing into SQL placeholder names in Drupal’s PostgreSQL entity query handling. Researchers identified two unauthenticated paths to the vulnerable code: the JSON login endpoint and JSON:API filter syntax.
## What We’ve Seen
Since CVE-2026-9082 was released, Imperva has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries. Attacks are primarily targeting Gaming and Financial Services sites so far, at collectively almost 50% of all attacks.
Most of the observed activity so far appears to be probing. The payloads in the attached Imperva data largely focus on JSON:API routes, particularly /jsonapi/node/article, and use crafted filter parameters designed to test whether a target is vulnerable. Several payloads include Nuclei-style markers such as nuclei_sa_core_2026_004, nuclei-probe, and nuclei-probe-miss, indicating automated scanning and template-based validation activity.
The most common payload patterns include:
* JSON:API filter probes using operator=IN against the title field
* Crafted array keys such as 0), 0)) OR 1=1 -, and _) AND 1=1-
* Time-based SQL injection checks using PostgreSQL functions such as pg_sleep
* UNION-style and syntax-break probes intended to validate error-based SQL injection behavior
This pattern suggests attackers and scanners are primarily attempting to identify exposed Drupal sites running vulnerable PostgreSQL-backed configurations. While the activity is currently dominated by reconnaissance and validation, the nature of the vulnerability means successful exploitation could quickly move from probing to data extraction or privilege escalation.
## Mitigation and Protection
Organizations running Drupal should upgrade immediately to one of the patched versions: **10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10**. Searchlight Cyber also noted that the same Drupal release includes Symfony and Twig security updates, making patching important even for environments not using PostgreSQL.
**Imperva customers with any WAF deployment are protected against exploitation attempts associated with CVE-2026-9082.**
## Bottom Line
CVE-2026-9082 is a high-priority Drupal core vulnerability because it is remotely reachable, exploitable by unauthenticated users, and affects a core query-handling mechanism. Although the vulnerability is limited to PostgreSQL-backed Drupal sites, the widespread use of Drupal and the speed of observed scanning make this an urgent patching priority.
Imperva has already observed broad probing across thousands of sites and dozens of countries. Imperva customers are protected, but organizations should still patch immediately, review logs for suspicious JSON:API and /user/login?_format=json activity, and confirm whether any Drupal deployments use PostgreSQL.
The post Imperva Customers Protected Against CVE-2026-9082 in Drupal Core appeared first on Blog.
Basic Information
ID
IMPERVABLOG:B3D3F560C05210784BB760168A0136D3
Published
May 21, 2026 at 20:54