Introduction
CVE-2026-9082 is a critical pre-authentication SQL injection vulnerability in Drupal Core's JSON:API module, carrying a CVSS score of 9.8. Published on May 20, 2026, it was added to the CISA Known Exploited Vulnerabilities (KEV) catalog the same month with a remediation deadline of May 27. The vulnerability affects Drupal Core versions 8.9.0 through multiple 11.x branches and requires no authentication to exploit.
Between May 20 and May 31, 2026, sensor networks recorded 576 exploitation attempts from 9 distinct source IPs. Every request contained CVE-specific marker strings in the payload, and a retrospective query confirmed zero matching activity before the May 20 disclosure date. The earliest exploitation attempts appeared on May 22, placing the weaponization timeline at roughly two days from publication to active scanning, which continued throughout the observation window. All 9 source IPs targeted only content management system infrastructure, with zero activity against any other application type, confirming purpose-built Drupal scanning tooling.
Drupal Core SQL Injection (CVE-2026-9082)
The vulnerability itself:
CVE-2026-9082 is a pre-authentication SQL injection vulnerability in Drupal Core's JSON:API module.
- CVSS Score: 9.8 (Critical)
- CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
- Affected Versions: Drupal Core 8.9.0 through multiple 11.x branches (10.4.x, 10.5.x, 10.6.x, 11.1.x, 11.2.x, 11.3.x)
- Authentication Required: None
- Published: May 20, 2026
- CISA KEV Added: May 2026, with a remediation deadline of May 27, 2026 (now passed)
The CISA KEV listing confirms that exploitation was already occurring in the wild at the time of catalog addition. The 7-day remediation deadline (May 20 to May 27) reflects the severity and urgency CISA assigned to this vulnerability.
Vulnerability Context
CVE-2026-9082 exploits a flaw in how Drupal Core's JSON:API module processes filter condition parameters. The JSON:API module exposes RESTful endpoints at paths like /jsonapi/node/article that allow clients to query and filter content using structured URL query parameters:
/jsonapi/node/article?filter[name][condition][path]=field_name
&filter[name][condition][operator]=IN
&filter[name][condition][value][0]=some_valueThe module fails to sanitize the array key portion of the filter[name][condition][value] parameter before incorporating it into SQL queries. An attacker can inject arbitrary SQL by manipulating the array key (the part inside the square brackets after value), rather than the value itself. This is a less common injection vector that many input validation routines miss because they focus on sanitizing parameter values, not parameter names or array indices.
Because JSON:API is enabled by default in Drupal 8.x and later and requires no authentication to read published content, the attack surface encompasses any internet-facing Drupal installation running an affected version. Successful exploitation grants the ability to read arbitrary database contents, including user credentials, session tokens, and configuration data.
Observed Exploit Behavior
All exploitation attempts target Drupal's JSON:API node endpoints, cycling through three common content types: /jsonapi/node/article, /jsonapi/node/page, and /jsonapi/node/basic_page. This rotation ensures the scanner finds a valid content type regardless of the target's configuration.
Each scanning source sends a structured sequence of four requests per content type, implementing a methodical SQL injection confirmation workflow:
Baseline request (control). A normal filter query using CVE20269082a, CVE20269082b, and CVE20269082c as canary values to establish a reference response.
Boolean-based blind SQLi (TRUE condition). Injects OR TRUE OR 1=1 into the SQL query via the array key:
filter[sqli][condition][value][1))/**/OR/**/TRUE/**/OR/**/1=1/**/OR/**/((1=1]=CVE20269082cBoolean-based blind SQLi (FALSE condition). The complementary test using OR FALSE AND 1=2. Comparing the TRUE and FALSE responses allows the scanner to confirm exploitability with high confidence, ruling out false positives.
Time-based blind SQLi (PostgreSQL-specific). The most aggressive payload:
filter[sqli][condition][value][1))/**/OR/**/(SELECT/**/CASE/**/WHEN/**/current_user/**/IS/**/NOT/**/NULL/**/THEN/**/pg_sleep(5)/**/ELSE/**/pg_sleep(0)/**/END)::text=((chr(49)]=CVE20269082cThis executes pg_sleep(5) on PostgreSQL backends, forcing a 5-second response delay. The ::text cast and chr(49) function are PostgreSQL-specific syntax. A delayed response confirms both the injection vulnerability and the database type in a single request.
WAF Evasion Techniques
The payloads employ several evasion methods. SQL comment space substitution (/**/ replacing spaces) bypasses WAF rules matching literal SQL keywords separated by spaces. Nested parentheses (1)) and ((1=1) close and reopen parentheses in the generated SQL, maintaining syntactic validity while obscuring the injection pattern. PostgreSQL-specific casting (::text) avoids type mismatch errors. Character function usage (chr(49)) represents the character "1" without using a literal string, evading pattern-matching on common injection strings.
Request Headers
All exploit requests use the GET method with an Accept: application/vnd.api+json header, the correct MIME type for Drupal's JSON:API. Generic scanners typically send */* or omit the header entirely. This detail, combined with a spoofed Chrome User-Agent string, indicates the scanner was written by someone who tested against a real Drupal JSON:API instance or adapted a well-maintained exploit template.
Source Infrastructure
| Source IP | Events | Location |
| 38.15.158.10 | 356 | US |
| 58.252.113.136 | 120 | CN |
| 103.62.49.170 | 24 | JP |
| 107.189.10.95 | 24 | LU |
| 104.234.174.93 | 12 | CA |
| 111.70.16.111 | 12 | TW |
| 151.177.219.95 | 12 | SE |
| 83.249.125.127 | 12 | SE |
| 157.254.22.134 | 4 | Unknown |
Table 1: CVE-2026-9082 Scanning Infrastructure
The top source, 38.15.158.10, used all four payload variants across multiple content types and targets. 58.252.113.136 concentrated on the time-based PostgreSQL payload variant, suggesting a more focused effort to fingerprint database backends. All 9 IPs share identical payload sequences, headers, and User-Agent strings, pointing to a shared tool or exploit kit distributed among multiple operators.
Threat Assessment
Campaign Characteristics
This exploitation activity has the hallmarks of a coordinated but early-stage scanning campaign:
- Dedicated tooling: The 9 source IPs target only Drupal infrastructure, with zero activity against other application types.
- Consistent methodology: All sources use the same four-variant payload sequence, the same Accept header, and the same User-Agent string. This points to a shared tool or exploit kit distributed among multiple operators/IPs.
- Systematic coverage: The top source (38.15.158.10) tested all payload variants against all three content types across multiple targets, indicating a thorough, automated approach.
- Database fingerprinting: The inclusion of PostgreSQL-specific pg_sleep() payloads alongside generic boolean-based tests shows the attackers are prepared for the two most common Drupal database backends (MySQL/MariaDB and PostgreSQL).
MITRE ATT&CK Mapping
| Tactic | Technique | Evidence |
| Reconnaissance | T1595.002: Vulnerability Scanning | Systematic probing of /jsonapi/node/{type} endpoints across content types |
| Initial Access | T1190: Exploit Public-Facing Application | SQL injection via JSON:API filter condition parameters |
| Execution | T1059: Command and Scripting Interpreter | pg_sleep() execution via injected SQL |
| Discovery | T1082: System Information Discovery | Boolean-based blind SQLi for database fingerprinting; current_user extraction attempt |
| Defense Evasion | T1027: Obfuscated Files or Information | SQL comment-based space substitution (/**/), chr() function usage |
Table 2: MITRE ATT&CK mapping
Top CVEs for May 2026
| # | CVE ID | Description | CVSS | Attacks | Raw Events |
| 1 | CVE-2024-4577 | PHP CGI on Windows Argument Injection | 9.8 | 13,716 (+1,734) | 24,655 (+2,485) |
| 2 | CVE-2017-9841 | PHPUnit eval-stdin Remote Code Execution | 9.8 | 10,355 (+1,169) | 352,664 (+42,238) |
| 3 | CVE-2018-20062 | ThinkPHP Remote Code Execution in NoneCms | 9.8 | 9,563 (+1,138) | 19,610 (+1,969) |
| 4 | CVE-2025-55182 | React Server Components Pre-Auth RCE | 10 | 3,120 (+343) | 37,882 (+24,856) |
| 5 ↑1 | CVE-2021-34523 | Microsoft Exchange Server Privilege Escalation | 9 | 2,361 (-70) | 6,803 (-6,558) |
| 6 ↑1 | CVE-2022-41082 | Microsoft Exchange Server Remote Code Execution | 8 | 2,176 (+54) | 2,329 (+78) |
| 7 ↓2 | CVE-2025-55184 | React Server Components Pre-Auth DoS | 7.5 | 1,541 (-1,174) | 15,884 (+7,109) |
| 8 NEW | CVE-2024-44000 | LiteSpeed Cache Insufficiently Protected Credentia… | 9.8 | 1,475 | 2,129 |
| 9 NEW | CVE-2016-4800 | Eclipse Jetty Windows Path Normalization Bypass | 9.8 | 1,444 | 6,707 |
| 10 NEW | CVE-2007-6672 | Mortbay Jetty Source File Disclosure Bypass | 5 | 1,444 | 6,707 |
Table 3: Top 10 CVEs for May 2026
Trending CVEs for May
The May 2026 Top 10 CVE table saw notable turnover, with three new entries displacing previous fixtures. CVE-2024-44000 (LiteSpeed Cache credential exposure), CVE-2016-4800 (Jetty path normalization bypass), and CVE-2007-6672 (Mortbay Jetty source file disclosure) all entered the rankings for the first time.
The top three positions remain firmly held by CVE-2024-4577, CVE-2017-9841, and CVE-2018-20062, all of which posted month-over-month increases. CVE-2025-55184 experienced a sharp decline, dropping two positions after losing 1,174 attacks compared to April.
CVE-2024-4577
PHP CGI argument injection on Windows continues to dominate the table with 13,716 attacks in May, an increase of 1,734 over the prior month. This CVSS 9.8 vulnerability has held the top position for multiple consecutive months, reflecting sustained and widespread exploitation. The consistent upward trajectory suggests automated tooling is broadly integrated into attacker workflows. Defenders running PHP CGI on Windows should treat patching this flaw as an urgent priority if not already addressed.
CVE-2025-55184
This React Server Components pre-auth denial of service vulnerability dropped sharply from #5 to #7, shedding 1,174 attacks month over month. This represents the largest absolute decline of any CVE in the current Top 10. The drop may indicate that initial scanning campaigns have subsided or that defenders have deployed effective mitigations. Its sibling vulnerability CVE-2025-55182, the pre-auth RCE variant with a perfect CVSS 10.0, remains steady at #4 with 3,120 attacks, suggesting attackers are prioritizing the more impactful code execution path.
CVE-2024-44000
This LiteSpeed Cache credential exposure vulnerability is a new entrant at #8 with 1,475 attacks in its debut month. Rated CVSS 9.8, it targets insufficiently protected credentials in the popular WordPress caching plugin. Its sudden appearance in the Top 10 suggests active exploitation campaigns have recently scaled up. Organizations using LiteSpeed Cache should verify they are running patched versions and audit for any signs of credential theft.
CVE-2021-26855
ProxyLogon dropped out of the Top 10 entirely, falling from #9 to #12 after months of sustained presence. This Microsoft Exchange Server SSRF vulnerability, once one of the most exploited flaws globally, appears to be losing attacker interest as the vulnerable population shrinks. However, its companion Exchange vulnerabilities CVE-2021-34523 and CVE-2022-41082 remain in the Top 10 at positions #5 and #6 respectively. Defenders should not interpret the decline as a signal to deprioritize Exchange patching, as the broader Exchange attack surface clearly remains under active targeting.
CVE-2007-6672
A vulnerability nearly two decades old, this Mortbay Jetty source file disclosure bypass entered the Top 10 at #10 with 1,444 attacks. Its appearance alongside CVE-2016-4800, another Jetty path normalization flaw with identical attack counts, points to a coordinated scanning campaign targeting Jetty servers specifically. Despite its modest CVSS 5.0 rating, source file disclosure can reveal configuration details and credentials that enable deeper compromise. The simultaneous emergence of both Jetty CVEs warrants attention from any organization exposing Jetty-based services.
Long Term Targeting Trends
Top CVEs
Figure 1: Six-month stacked graph of the top 5 CVEs.
In May 2026, CVE-2017-9841 remains the most exploited vulnerability across our honeynet sensors with 10,355 attack sessions, though this represents a continued decline from its November 2025 peak of 27,075. CVE-2024-4577 recorded 13,716 sessions in May, rebounding from April's 11,982 and sustaining the aggressive exploitation trend that began with its December 2025 surge to 8,102 sessions after months of near-zero activity. CVE-2018-20062 followed a similar pattern to CVE-2017-9841, posting 9,563 sessions in May, well below its November 2025 high of 22,635 but still representing persistent baseline exploitation. CVE-2021-34523, the ProxyShell Exchange vulnerability, has maintained steady exploitation since its January 2026 emergence, holding at 2,361 sessions in May, while CVE-2025-55182 dipped to 1,560 sessions from 2,777 in April.
Attack Types Over Time
Figure 2: Evolution of attack types over 6 months.
In May 2026, Predictable Resource Location dominated observed attack activity at 923,312 events, a 11.1% increase over April's 831,302, reinforcing a sustained trend of adversaries probing for exposed endpoints and predictable file paths. Information Leakage attempts surged 37.9% month over month, jumping from 469,810 to 647,707, suggesting heightened reconnaissance activity aimed at harvesting configuration details and sensitive data. Conversely, Cross Site Scripting dropped sharply from 220,400 to 79,913, a 63.7% decline, while Path Traversal fell 58.3% from 151,411 to 63,171, indicating a possible tactical pivot away from these vectors. Server Side Code Injection remained elevated at 588,866 events despite a 13.5% decline from April, and Command Execution held steady at 506,842.
Top Source Countries
Figure 3: Source country geographical distribution.
In May 2026, the United States remained the top source of attack traffic against our honeynet sensors with 4,320,740 events, though this represents a sharp 41.7% decline from the 7,413,134 events recorded in April 2026. France surged dramatically to 1,553,570 events, a 173% increase from its previous month total of 568,728, making it the most notable mover in the dataset. Germany held steady in second place at 2,660,810 events, reflecting a modest 4.8% uptick. Canada saw a significant 39.1% drop from 400,895 to 244,146 events, while Singapore remained relatively stable at 689,974.
Top Target Destinations
Figure 4: Destination target geographical distribution (normalized per sensor).
United Kingdom
Our honeynet sensors in the United Kingdom observe a notable concentration of web application exploitation and authentication bypass attempts. Compared to other locations, the UK sees a relatively higher proportion of attacks targeting exposed administrative interfaces and login portals.
United States
Sensors in the United States continue to attract the broadest spectrum of attack traffic, consistent with its position as the most targeted destination across the monitoring period. The attack profile is dominated by credential brute-forcing and remote code execution attempts, reflecting the sheer volume of opportunistic scanning directed at infrastructure in this region.
Australia
Sensors deployed in Australia register a distinctive mix of remote code execution attempts and directory traversal attacks. The geographic isolation of this region does not deter attackers, with traffic patterns suggesting sustained interest from threat actors operating across multiple time zones.
Canada
Our sensors in Canada observe a steady baseline of remote code execution and web application exploitation attempts. Canadian infrastructure uniquely attracts a higher ratio of low-and-slow probing activity, suggesting threat actors conducting deliberate reconnaissance before launching targeted exploitation.
Singapore
Singapore's sensors capture a concentrated mix of authentication bypass attempts and exploitation of exposed management interfaces. As a major connectivity hub, this location draws attack traffic that frequently originates from nearby regions, giving it a distinctive geographic source profile.
Conclusion
CVE-2026-9082 represents a textbook case of rapid weaponization against critical web infrastructure. Within 11 days of disclosure, 9 dedicated scanning sources deployed sophisticated, WAF-evasion-aware exploit payloads against Drupal's JSON:API endpoints. The payloads demonstrate deep understanding of the target application, including correct MIME types, multiple content type enumeration, and database-specific fingerprinting techniques for PostgreSQL backends.
The current scanning volume of 576 events is the leading edge of what will likely become a much larger exploitation campaign. Every organization running Drupal Core with JSON:API enabled should treat patching as an emergency action. The CISA KEV deadline has passed, and the window between "scanning" and "mass compromise" is closing rapidly.
Recommendations
Immediate (CISA KEV deadline has passed)
- Patch Drupal Core to version 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10 (as applicable). Unpatched systems should be treated as potentially compromised and subjected to forensic review.
- Audit JSON:API access logs for requests matching /jsonapi/node/*/filter[*][condition][value][* with SQL keywords (OR, SELECT, pg_sleep, CASE WHEN). Search for the marker strings CVE20269082a, CVE20269082b, CVE20269082c in URL parameters.
- Deploy WAF rules targeting SQL injection in JSON:API filter parameters. Key detection patterns:
- /**/OR/**/ or /**/SELECT/**/ (comment-based space evasion)
- pg_sleep anywhere in URL query parameters
- Nested parentheses in filter[*][condition][value] array keys
- UNION, SELECT, CASE WHEN in filter condition values
- Block confirmed exploit sources: 38.15.158.10, 58.252.113.136, 103.62.49.170, 107.189.10.95, 104.234.174.93, 111.70.16.111, 151.177.219.95, 83.249.125.127, 157.254.22.134.
Short-Term
- Restrict JSON:API access. If public JSON:API access is not required, disable the module or restrict it to authenticated users. The vulnerable endpoint requires no authentication by default.
- Review database user privileges. For PostgreSQL deployments, ensure the Drupal database user cannot execute pg_sleep() or access system catalogs beyond operational requirements. For MySQL/MariaDB, review the FILE privilege.
- Monitor for new scanning sources. The current 9 IPs represent early adopters. Expect the source pool to grow as exploit code spreads. Signature-based blocking alone may not be sufficient; behavioral detection of SQL injection patterns in JSON:API parameters is essential.
