
PostgreSQL
Open-source relational database; the sole Drupal database backend affected by CVE-2026-9082.
Last refreshed: 29 May 2026 · Appears in 1 active topic
Why does choosing PostgreSQL over MySQL make Drupal sites uniquely vulnerable to this SQL injection?
Timeline for PostgreSQL
Mentioned in: Splunk lands its first-ever KEV entry
Cybersecurity: Threats and DefencesMentioned in: Drupal SQL flaw hits PostgreSQL sites
Cybersecurity: Threats and DefencesIs PostgreSQL itself vulnerable to the Drupal SQL injection CVE-2026-9082?
Why are only PostgreSQL Drupal sites affected by CVE-2026-9082?
What percentage of Drupal sites use PostgreSQL?
Background
PostgreSQL is an open-source, object-relational database management system first released in 1996, descended from the Ingres and POSTGRES projects at the University of California, Berkeley. It is one of the world's most widely deployed relational databases, favoured for its standards compliance, ACID guarantees, extensibility, and strong support for complex queries, JSON, and geospatial data. PostgreSQL is the default backend for many government, healthcare, and regulated-sector applications, particularly in jurisdictions that require open-source infrastructure for data sovereignty reasons.
In May 2026, PostgreSQL featured directly in a major vulnerability incident: CVE-2026-9082, a Drupal Core SQL injection flaw rated Highly Critical (23/25, CVSS 6.5), affects only Drupal deployments running on PostgreSQL. Drupal's database-abstraction layer handles PostgreSQL-specific query construction differently from MySQL and MariaDB; the injection vector exists in that PostgreSQL-specific code PATH. PostgreSQL accounts for fewer than 5% of Drupal installations globally, but that subset is disproportionately concentrated in government and regulated-sector environments, amplifying the real-world risk.
The CVE-2026-9082 incident is not a flaw in PostgreSQL itself; the vulnerability is in Drupal's query-construction layer. PostgreSQL is the passive surface on which the injection executes. The episode nonetheless illustrates that database selection carries indirect security consequences: where PostgreSQL is mandated for sovereignty reasons, it inadvertently concentrates risk for any application layer vulnerability with a database-backend-specific trigger.