CVE-2026-9082 — Drupal Core: SQL Injection | CVSS 9.8 CRITICAL

CRITICAL

CVSS 9.8 CRITICAL  ·  EPSS 17%  ·  Drupal Core

Severity Overview

Summary

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection.

This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

What the Attack Looks Like

How it works: Attacker-controlled input is inserted into a SQL query without sanitization. The database executes the modified query, which can expose data, bypass authentication, or in some configurations execute commands on the host.

If successfully exploited: A successful exploit grants the attacker elevated privileges on the target system — typically administrator or root — enabling full control of the affected host. Full confidentiality and integrity impact means an attacker can both read and modify sensitive data — useful for credential harvesting, data theft, or manipulating application state. High availability impact means the vulnerability can also cause a denial of service, which may be used for disruption or as a diversion during a broader attack.

Analyst Takeaway

The attack is launched over the network (remotely exploitable without physical access) and no authentication is required. This vulnerability is already in CISA KEV, which means exploitation has been confirmed in the wild — treat this as active risk, not theoretical exposure. The CVSS score places this in critical territory, so internet-facing systems and high-value assets should be prioritized for immediate remediation or compensating controls. The mapping indicates possible privilege escalation behavior, so local admin and kernel-level activity should be reviewed if compromise is suspected. In parallel with patching, defenders should review external exposure, hunt for signs of exploitation, and validate whether compensating controls are in place for vulnerable assets.

MITRE ATT&CK Mapping

• T1068 – Exploitation for Privilege Escalation
  Rationale: The vulnerability context indicates local or kernel-level privilege escalation behavior.

Detection Guidance

• CWE-89 — SQL Injection
  • WAF and application logs: Search request parameters for SQL syntax: UNION SELECT, OR 1=1, -- (comment sequences), single quotes, SLEEP(, WAITFOR DELAY, BENCHMARK(, and their URL-encoded forms. Time-based blind injection may not appear in app logs but will show anomalous response latency.
  • Database error logs: A spike in query syntax errors from the application’s database user is a strong injection indicator. Legitimate traffic rarely generates SQL errors in bulk.
  • Database activity monitoring: Look for queries accessing tables outside the application’s normal working set, unexpected SELECT * across sensitive tables, or INFORMATION_SCHEMA / system catalog queries — these indicate an attacker enumerating the schema.
  • Out-of-band indicators: Successful SQL injection may cause the database server to make outbound DNS or HTTP requests (for exfiltration). Monitor for unexpected outbound connections from database hosts.
• T1068 — Exploitation for Privilege Escalation
  • Monitor for unexpected privilege changes, token manipulation, or process execution under SYSTEM or root that is not consistent with your baseline.
  • Review service creation (Event ID 7045), scheduled task creation (Event ID 4698), and kernel driver load events for unexpected entries.
  • Inspect EDR kernel-level alerts and OS-level memory protection violations associated with the vulnerable host or process.

Hunting Considerations

These are proactive hunts mapped to the ATT&CK techniques identified for this CVE. Run them now — do not wait for an alert to fire.

• T1068 — Exploitation for Privilege Escalation
  • Privilege assignment events (Windows): Search for Event ID 4672 (Special Privileges Assigned to New Logon) for accounts that should not hold elevated rights. Correlate with Event ID 4688 (process creation) to see what ran immediately after the privilege was granted.
  • Unexpected SYSTEM/root processes: Hunt for processes running as NT AUTHORITY\SYSTEM or root that are not part of your baseline — particularly interactive shells (cmd.exe, PowerShell, bash) or network utilities running at that privilege level.
  • Service and driver installation (Windows): Event ID 7045 (new service installed) and kernel driver load events are key. Privilege escalation exploits frequently install a service or load a driver as the escalation mechanism — any unexpected entry here warrants investigation.
  • Linux-specific indicators: Search auditd for unexpected setuid/setgid executions, sudo invocations by users outside your admin group, and privilege-change syscalls (setuid, setreuid, setresuid) from non-root processes.
  • Token manipulation (Windows): Sysmon Event 10 (process access) targeting lsass.exe or other high-privilege processes often precedes or accompanies privilege escalation. Unusual OpenProcess calls against security processes are a strong signal.

Recommended Actions

Immediate (0–24 Hours)

• Inventory: Identify all systems running Drupal Core. Include production, staging, dev, and cloud environments — untracked instances are the most likely to remain unpatched.
• Validate internet-facing exposure: Determine which of the affected systems are reachable from the public internet. Prioritize these for immediate remediation or compensating controls.
• Apply compensating controls now: For systems that cannot be patched immediately, implement temporary mitigations: restrict access via firewall rules or ACLs, add WAF rules if applicable, disable or isolate the vulnerable component if feasible without breaking critical operations.

Remediation

• Apply the vendor patch: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
• CISA directive deadline: 2026-05-27 — this is the mandatory deadline for US federal civilian agencies under BOD 22-01. All organizations should treat this date as a strong target regardless of federal mandate.
• Verify remediation: After patching, confirm the correct version is installed on all affected hosts. Run a vulnerability scan or use your asset management tooling to verify — do not rely solely on change tickets.
• Post-patch compromise assessment: Privilege escalation and lateral movement techniques can result in persistent access that survives patching. After remediation, review the hunting considerations in this alert to assess whether compromise occurred before the patch was applied.

Detection Coverage

• Verify ATT&CK coverage: Confirm your SIEM and EDR have detection logic in place for T1068. Review the Detection Guidance and Hunting Considerations sections of this alert for the specific log sources and behavioral patterns to monitor.
• Unauthenticated exploitation monitoring: Because this vulnerability requires no authentication, internet-facing scanning and exploitation attempts may begin within hours of public disclosure. Ensure alerting is in place before the end of the day.
• Threat intelligence feeds: Monitor your TI feeds and vendor advisory channels for published indicators of compromise (IOCs), proof-of-concept exploit releases, or active campaign reporting associated with this CVE — these should trigger an immediate hunt even if no internal alerts have fired.

Vulnerability Details

Additional Notes

https://www.drupal.org/sa-core-2026-004 ; https://nvd.nist.gov/vuln/detail/CVE-2026-9082