The CrowdSec Network is tracking exploitation attempts targeting CVE-2026-9082, a SQL injection vulnerability in Drupal core that affects JSON: API filter parameter keys on exposed /jsonapi/ endpoints. This issue is moving fast enough that defenders should treat it as urgent now, not as a patch for next week. Drupal published the advisory on May 20, 2026. CrowdSec saw early probing attempts on May 21, released detection coverage on May 22, CISA added the issue to the Known Exploited Vulnerabilities catalog the same day, and CrowdSec first observed exploitation on May 23. So far, we have seen 68 distinct attacking IPs through May 25, which places this threat firmly in the early-exploitation phase rather than a full internet-wide spray.
Key findings
- The timeline escalated almost immediately: Drupal published CVE-2026-9082 on May 20, 2026; CrowdSec saw probing on May 21; shipped a rule on May 22; CISA added it to KEV on May 22; and exploitation reached our network on May 23.
- The activity is real: CrowdSec has observed 68 distinct attacking IPs so far, indicating active operator interest without the broad, noisy volume that usually follows.
- The vulnerable surface is business-facing: Drupal powers public websites, portals, and content platforms, and the affected JSON: API feature is often exposed to support headless front ends, partner integrations, and mobile experiences.
What is Drupal?
Drupal is a widely used open-source content management system that powers public-sector sites, enterprise marketing platforms, university websites, and large content-heavy digital properties. Many organizations use their JSON API functionality to deliver content to modern web applications, mobile apps, and decoupled front ends.
Why it matters: When a SQL injection flaw appears in a public content platform, the risk is not limited to a defaced web page. Attackers may be able to read sensitive database content, tamper with stored data, or abuse trusted application paths to move deeper into the environment. For teams that treat the CMS as “just the website,” this is the moment to remember that the website often has a hallway pass to customer data, content workflows, and internal administration.
How does CVE-2026-9082 work?
According to Drupal’s advisory, CVE-2026-9082 is caused by improper neutralization of attacker-controlled input in JSON: API filter parameter keys. In plain terms, a request sent to a /jsonapi/ endpoint can include SQL metacharacters in the filter key itself, not just in the value. Payloads such as crafted filter[…] parameters containing operators like ||, backticks, or time-delay expressions can be concatenated into the backend query, altering how the database interprets the request.
That matters because the vulnerable path can be reached over HTTP on an internet-facing application surface that many defenders intentionally leave exposed for content delivery. Depending on the target configuration and the attacker’s objective, this can support unauthorized data access, database manipulation, or follow-on compromise steps.
Original advisory: Drupal security advisory SA-CORE-2026-004
Reference overview: CVE-2026-9082 on NVD
Research credit: this alert is based on the official Drupal security advisory. Follow the Drupal ecosystem on LinkedIn and X for project updates.
Threat Landscape Analysis
The current CrowdSec picture is important precisely because it is not yet massive. Early exploitation with 68 observed IPs means attackers are already testing and using the bug, but the campaign has not yet become commodity background noise. CrowdSec also observed probing activity on May 21, before the KEV listing, suggesting the attention arrived almost as soon as the advisory. That is usually the narrow window where defenders can still get ahead, and it tends to close quickly once public exploit material and KEV status line up.
Three factors raise the urgency. First, CrowdSec observed probing before KEV, which means the attacker’s attention was already forming while many teams were still triaging the advisory. Second, public exploit material is available, which lowers the skill barrier for follow-on actors. Third, the CISA KEV status arrived almost immediately, which is a strong signal that exploitation has moved from theoretical risk to operational concern. When a Drupal flaw lands in KEV this quickly, defenders should assume scanning pressure will broaden, especially against public-sector and enterprise sites that historically keep Drupal exposed for business reasons.
How to protect your systems
Patch: Upgrade Drupal core to a fixed release in your supported branch. Drupal lists the following patched versions for CVE-2026-9082:
- 10.4.10 or later
- 10.5.10 or later
- 10.6.9 or later
- 11.1.10 or later
- 11.2.12 or later
- 11.3.10 or later
Preemptive blocking: If you cannot patch immediately, review whether every exposed /jsonapi/ endpoint truly needs to be internet-reachable. Restrict access where possible, and use Crowdsec WAF in front of Drupal to block malicious incoming requests.
Stay proactive: monitor the CrowdSec Live Exploit Tracker for CVE-2026-9082 to follow activity updates and identify new IPs joining exploitation.
Sharing insights and taking swift action can collectively reduce the impact of these threats. This is your call to action for real-time threat intelligence and collaborative cybersecurity.