How to Fix CVE-2026-9082: SQL Injection in Drupal core
By Sai Kiran Pandrala
| Severity | CVSS 9.8 - Critical |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV (added 2026-05-22) |
| Affected | Drupal core 8.9.0 up to (excluding) 10.4.10; Drupal core 10.5.0 up to (excluding) 10.5.10; Drupal core 10.6.0 up to (excluding) 10.6.9; Drupal core 11.0.0 up to (excluding) 11.1.10; see advisory for full list |
| Fixed in | 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 (see advisory) |
| Type (CWE) | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Patch immediately. CISA added CVE-2026-9082 to the Known Exploited Vulnerabilities catalog on 2026-05-22. Federal civilian agencies must remediate by 2026-05-27. Treat every internet-reachable instance as a priority patch.
What is CVE-2026-9082?
CVE-2026-9082 is a SQL Injection flaw in Drupal core. It carries a CVSS base score of 9.8 (critical). CISA confirmed real-world exploitation by adding it to the Known Exploited Vulnerabilities catalog on 2026-05-22.
From the source record: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.
This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.
Why it matters in practice: KEV-listed CVEs draw continuous internet-wide scanning. Any unpatched, internet-reachable installation is on borrowed time. The blast radius depends on how the affected service is exposed. An internet-facing instance with no compensating controls is the highest-risk configuration.
Am I affected?
You are affected if your installation of Drupal core matches a version listed in the Affected row above.
Check the running version from the admin UI (Reports -> Status report on Drupal, Updates page on WordPress). From a shell:
# Drupal
drush status | grep -i version
# WordPress
wp core version
How to fix CVE-2026-9082
Apply the vendor patch. Target a build at or above: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 (see advisory). The runnable command set below covers the most common deployment patterns for Drupal core.
Drupal
# In the site root
composer update drupal/core --with-dependencies
vendor/bin/drush updatedb -y
vendor/bin/drush cache:rebuild
drush status | grep -i version
WordPress
wp core update
wp plugin update --all
wp theme update --all
wp core version
After applying the patch
- Restart the service or device so the patched binary loads.
- Confirm the running version matches the Fixed in row using the verification command below.
- Rotate credentials and API keys that the affected service could access if the asset was exposed during the disclosure window.
If you can't patch immediately
Until the patch lands, narrow the attack surface with these runnable controls.
Restrict the affected endpoint at the web server
# Apache .htaccess - block public access to admin
<Location "/admin">
Require ip 10.10.10.0/24
</Location>
Put the site in maintenance mode while you patch
# Drupal
drush state:set system.maintenance_mode 1
# WordPress
wp maintenance-mode activate
Mitigations are temporary. Apply the vendor patch as soon as a maintenance window opens.
How to verify the fix worked
Confirm the patched build is the one actually running.
drush status | grep -i version # Drupal
wp core version # WordPress
Expected: the version equals 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 (see advisory) or newer.
Also worth doing: pull recent log windows for any indicators of compromise listed in the vendor advisory, and re-run an authenticated vulnerability scan with up-to-date signatures.
Frequently asked questions
Related fixes
Other vulnerabilities in the same area that are worth patching alongside this one:
- How to Fix CVE-2026-8495: Missing Authorization in Date iCal — Missing Authorization in Date iCal
- How to Fix CVE-2026-3216: Critical Vulnerability in Drupal Canvas — Critical Vulnerability in Drupal Canvas
- How to Fix CVE-2026-6871: Cross-Site Scripting in Obfuscate , Cross-Site Scripting in Obfuscate
- How to Fix CVE-2026-0946: Critical Vulnerability in AT Internet SmartTag , Critical Vulnerability in AT Internet SmartTag
- How to Fix CVE-2026-3215: Critical Vulnerability in Islandora , Critical Vulnerability in Islandora
Is CVE-2026-9082 being exploited in the wild?
Yes. CISA added CVE-2026-9082 to the Known Exploited Vulnerabilities catalog on 2026-05-22. KEV listing means at least one confirmed real-world exploitation report exists.
Do I have to take downtime to patch?
For most Drupal core deployments, the patched build needs a service restart or device reboot. HA pairs and clusters can roll the upgrade by patching the standby first, failing over, then patching the former primary.
Will a WAF or IDS rule alone close CVE-2026-9082?
No. Network filters cut down opportunistic scans but they do not remove the flaw. The vendor patch is the only durable fix.
Why is CVE-2026-9082 rated critical?
The CVSS base score of 9.8 reflects network reach, low attack complexity, and high impact on confidentiality, integrity, and availability. That combination is what the rating model maps to critical.
References
- Official vendor advisory: https://www.drupal.org/sa-core-2026-004
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-9082
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA KEV entry: "Drupal Core SQL Injection Vulnerability" - added 2026-05-22, due 2026-05-27
*Assembled from the official vendor advisory, the NVD record, and the CISA KEV listing on 2026-05-25. Always confirm against the vendor advisory before applying changes in production.*