An unauthenticated attacker can extract data, escalate privileges, and execute arbitrary code on any PostgreSQL-backed Drupal site running 8.9 through 11.3.9. No login required. The flaw lives in Drupal's database abstraction API, and exploit code is already deployed in the wild.
CISA added CVE-2026-9082 to the Known Exploited Vulnerabilities catalog on May 22. Imperva recorded over 15,000 attack attempts against nearly 6,000 sites across 65 countries — the window between advisory publication and mass exploitation closed in under 48 hours. Federal agencies must remediate by May 27.
Drupal published patched versions on May 20: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. Update to the release that matches your current branch.
One thing worth getting right: MySQL sites are not affected. This is a PostgreSQL-specific flaw in how the database abstraction layer constructs queries. If your Drupal installation runs on MySQL or MariaDB, you are not exposed by this vulnerability — but verify before assuming.
Patching is straightforward in principle and painful in practice. Drupal core updates often require coordinating contrib module compatibility, and teams running Drupal inside managed hosting or containers sometimes discover they cannot push a patch without a change window they haven't scheduled yet. That window needs to close now — Drupal's severity score is 23/25 on their own scale, and the advisory confirms deployed exploit code.
Check your PostgreSQL-backed Drupal instances first. If you run multiple environments, patch production before worrying about staging.