Threat actors began exploiting a critical SQL injection vulnerability in Drupal within 48 hours of the patch release, confirming active exploitation of the flaw designated CVE-2026-9082. Drupal issued the emergency security update on May 20, addressing a vulnerability that allows unauthenticated attackers to execute arbitrary database queries against sites running PostgreSQL.
The vulnerability carries a CVSS score of 10.0, reflecting its unauthenticated attack vector and potential for complete system compromise. The flaw originates from improper input sanitization in PostgreSQL-specific query construction within Drupal's database abstraction layer. Sites running MySQL or MariaDB are unaffected, as the issue is isolated to the PostgreSQL driver.
Drupal maintainers had warned ahead of the patch release that exploits could emerge within hours of disclosure. The confirmed 48-hour exploitation window reinforces a pattern in which high-severity vulnerabilities in widely deployed open-source platforms are rapidly integrated into automated scanning tools and exploitation frameworks.
Organizations running Drupal on PostgreSQL should patch to the latest stable releases immediately. Where operational constraints prevent immediate updates, compensating controls must be deployed without delay: enforce strict SQL injection detection rules through web application firewalls, restrict database port access at the network perimeter, disable the dblog module if not essential, and intensify monitoring of server logs for anomalous query patterns.
The incident underscores the widening gap between patch availability and patch deployment in enterprise environments. As exploitation timelines compress from weeks to days, organizations relying on scheduled maintenance windows face an increasingly asymmetrical risk profile. Security teams managing Drupal deployments should transition from manual patch cycles to automated vulnerability tracking and deployment pipelines, particularly for upstream critical-rated vulnerabilities.
CVE-2026-9082 also demonstrates that database-specific vulnerabilities can remain undetected until a particular configuration triggers them. Organizations maintaining multi-database support should ensure security testing validates each supported backend independently, as flaws may not manifest uniformly across all configurations.
Incident response playbooks must account for near-zero-day exploitation timelines, with pre-staged compensating controls ready for rapid activation when upstream patches drop. The window between disclosure and exploitation is no longer measured in weeks — it is measured in hours.
網絡威脅行為者於修補程式發布後 48 小時內開始利用 Drupal 中的關鍵 SQL 注入漏洞,確認編號 CVE-2026-9082 的漏洞正遭主動攻擊。Drupal 於 5 月 20 日發布緊急安全更新,修補此漏洞——該漏洞允許未經認證的攻擊者針對運行 PostgreSQL 的網站執行任意資料庫查詢。
該漏洞的 CVSS 評分達 10.0,反映其未經認證的攻擊途徑及完全控制系統的潛在風險。漏洞源於 Drupal 資料庫抽象層中 PostgreSQL 特定查詢構建的輸入處理不當。運行 MySQL 或 MariaDB 的網站不受影響,因問題僅限於 PostgreSQL 驅動程式。
Drupal 維護者曾於修補程式發布前警告,漏洞披露後數小時內或會出現攻擊程式。經確認的 48 小時利用窗口進一步印證了一個模式:廣泛部署的開源平台中高嚴重性漏洞會迅速被整合至自動化掃描工具及攻擊框架。
於 PostgreSQL 上運行 Drupal 的機構應立即更新至最新穩定版本。若因運作限制無法即時更新,必須毫不延誤地部署補償性控制措施:透過 web application firewall 實施嚴格的 SQL 注入偵測規則、於網絡邊界限制資料庫端口存取、如非必要則停用 dblog module,並加強監控伺服器記錄中的異常查詢模式。
是次事件突顯企業環境中修補程式可用性與實際部署之間日益擴大的差距。隨著利用時間線由數周壓縮至數天,依賴預定維護窗口的機構正面臨日益不對稱的風險狀況。管理 Drupal 部署的安全團隊應由手動修補週期轉向自動化漏洞追蹤及部署 pipeline,特別是針對被上游評為 critical 的漏洞。
CVE-2026-9082 同時證明,特定資料庫的漏洞可能一直未被發現,直至特定配置將其觸發。維持多資料庫支援的機構應確保安全測試獨立驗證每個支援的後端,因為漏洞未必於所有配置中一致顯現。
事故應變預案必須應對接近 zero-day 的利用時間線,預先部署補償性控制措施,以便於上游修補程式發布時迅速啟用。漏洞披露與遭利用之間的時間窗口已不再以周計算——而是以小時計算。