Drupal's Highly Critical SQL Injection Is Now Being Actively Exploited
Drupal's security team issued a "highly critical" SQL injection advisory earlier this week — and BleepingComputer now reports that attackers are already attempting to exploit it in the wild. If you run Drupal and haven't patched, stop reading and go patch.
What Happened
A SQL injection flaw in Drupal core was disclosed this week and rated "highly critical" — Drupal's top severity tier, reserved for vulnerabilities that are remotely exploitable with low or no privileges and carry high impact. Within days of disclosure, active exploitation attempts are underway. The gap between "advisory published" and "mass scanning begins" has collapsed to hours in 2026, and Drupal is a particularly attractive target: it runs a significant share of government portals, university sites, and enterprise intranets — high-value, often slow-to-patch environments.
Why It Matters
SQL injection at this severity level typically gives an attacker read/write access to the underlying database without authentication. For a Drupal installation that means:
- User credentials and session tokens are within reach for exfiltration
- Account takeover is possible by replacing or cracking password hashes
- Backdoor accounts can be injected directly into the database, bypassing the application layer entirely
- Lateral movement becomes possible if database credentials are reused elsewhere in your infrastructure
Critically, exploitation is likely automated and indiscriminate — you don't need to be a notable target to get hit. Any internet-facing Drupal instance is a candidate.
What To Do
1. Identify your version immediately.
drush status | grep "Drupal version"
Or check core/lib/Drupal.php for the VERSION constant.
2. Apply the patch now. The specific affected versions, CVE, and patched releases are listed at drupal.org/security. That page is your authoritative source — go there directly.
3. Review logs for the period since the advisory dropped. Look for SQL error responses, anomalous query strings containing UNION, SELECT, or injection scaffolding, and any unexpected admin account creation.
4. Audit user accounts. Any account created or promoted to administrator in the last several days warrants immediate scrutiny.
5. If you cannot patch right now:
- Take the site offline or restrict it to an IP allowlist until you can.
- Deploy WAF rules targeting SQLi patterns as a temporary measure — not a substitute for patching.
- Enable update notifications at
admin/reports/updates.
Sites that remain unpatched for the next 24–48 hours should be treated as potentially compromised and investigated, not just patched and assumed clean. Backdoor accounts and stolen session tokens persist after a patch is applied.
Synthesized by Claude · sanity-checked before publish.