Drupal’s latest critical vulnerability is drawing attention fast
Drupal is warning administrators that attackers are already trying to exploit CVE-2026-9082, a highly critical flaw patched this week. The issue sits in an API meant to help sanitize database queries, and that makes the bug especially dangerous for sites that rely on PostgreSQL.
For site owners, the timing matters as much as the severity. Drupal said it believed an exploit could appear within hours or days of disclosure, and it moved to warn users before the patch landed on May 20.
What the flaw can do
According to Drupal’s advisory, specially crafted requests can trigger arbitrary SQL injection on affected PostgreSQL-backed sites. Because the attack does not require authentication, an attacker may be able to use the bug to pull information from a site and, in some cases, move further into the system.
Drupal said the issue can also lead to privilege escalation and remote code execution in certain situations, which is why the vulnerability has been described as highly critical.
Who needs to pay attention
The good news is that the exposed population is relatively limited. Drupal said the flaw affects only sites using PostgreSQL databases, and it believes fewer than 5% of Drupal installations are impacted.
That still leaves a large number of potential targets. Drupal powers hundreds of thousands of websites, which means even a small percentage translates to a meaningful attack surface.
- Vulnerability: CVE-2026-9082
- Risk level: Highly critical
- Patch release: May 20
- Affected setups: Drupal sites using PostgreSQL
- Potential impact: SQL injection, data access, privilege escalation, remote code execution
Attackers are already scanning for exposed sites
Drupal updated the advisory to note that exploit attempts are now being detected in the wild. The company uses the NIST CMSS scoring system, where the maximum score is 25, and the risk score for this flaw was updated from 20 to 23.
Security firm Imperva reported more than 15,000 exploitation attempts aimed at nearly 6,000 sites across 65 countries. Almost half of those attacks targeted gaming and financial services websites, suggesting that scanners are quickly narrowing in on exposed Drupal systems running vulnerable PostgreSQL configurations.
Imperva said the activity appears to be focused mostly on reconnaissance and validation for now, but it warned that the same flaw could rapidly shift from probing to data theft or privilege escalation if exploitation succeeds.
Why this feels familiar to longtime Drupal watchers
Severe Drupal bugs have a long history of turning into emergency patch situations. The last highly critical vulnerability seen in Drupal had not been exploited in the wild in years, with no reports since 2019.
Before that, the Drupalgeddon and Drupalgeddon2 incidents became infamous for how quickly they were weaponized and how broadly they were used to compromise websites. That history is part of why this latest alert is getting attention so soon after disclosure.
For administrators, the takeaway is straightforward: if your Drupal deployment uses PostgreSQL, this is not a bug to leave for later. The patch is out, exploitation attempts are already being observed, and the window between disclosure and active abuse appears to have been short.