29MAY

Drupal SQL flaw hits PostgreSQL sites

3 min read

14:17UTC

Drupal rated CVE-2026-9082 Highly Critical at 23 out of 25; attackers logged 15,000 attempts within 48 hours, yet the flaw touches under 5 per cent of installs.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Drupal's fastest patch deadline covered under 5 per cent of installs, separating KEV urgency from actual exposure.

Drupal rated its own flaw "Highly Critical" at 23 out of 25, a SQL injection in the content-management system's database-abstraction layer carrying CVE-2026-9082 at CVSS 6.5 ¹. SQL injection works by smuggling malicious input into a database query. The patch landed around Wednesday 20 May; CISA added it to KEV on Friday 22 May with a five-day federal deadline of Wednesday 27 May, the tightest of the window ².

The flaw is PostgreSQL only, and PostgreSQL-backed Drupal is under 5 per cent of the install base, which is the calibration point a buyer needs. The Drupal severity rating measures how bad the bug is where it bites; it says nothing about how many installs it can reach. An asset owner who triages purely on the KEV deadline will over-rotate on a flaw that cannot touch 95 per cent of their Drupal estate, while the owner who knows which database backs each site can stand most of them down. KEV inclusion confirms exploitation; the risk calculation still belongs to whoever knows the backend.

Imperva, the Thales-owned application-security firm, logged more than 15,000 attack attempts against roughly 6,000 sites across 65 countries within 48 hours, with gaming and financial-services sites taking about half ³. The catalogue itself grew from 1,585 entries a fortnight earlier to 1,606 in this window , a velocity that the proposed CISA cuts have not slowed and that makes exposure-aware triage, not deadline proximity, the only sustainable filter.

Deep Analysis

In plain English

Drupal is a website-building platform used by governments, universities, and large companies to publish content online. It runs on a variety of underlying database systems that store all the site's data, text, and user records. A security flaw, given the label CVE-2026-9082, affects only Drupal installations that use PostgreSQL as their database, which is a minority of all Drupal sites. The flaw lets attackers inject malicious database commands through normal website forms, potentially reading or altering site data without needing an account. The US government's cyber agency CISA listed this flaw as requiring urgent action on 22 May 2026, with a five-day deadline. Within 48 hours of the flaw becoming public, security researchers at Imperva observed over 15,000 attack attempts against around 6,000 websites in 65 countries. The attacks hit gaming and financial-services sites hardest. Organisations running government websites on Drupal with PostgreSQL databases are among the most exposed, even though they represent a small fraction of all Drupal installations.

Deep Analysis

Root Causes

Drupal's database-abstraction layer (DBAL) wraps database queries to make Drupal portable across MySQL, MariaDB, PostgreSQL, and SQLite. The SQL injection in CVE-2026-9082 arises from a parameter-quoting inconsistency in the PostgreSQL driver: PostgreSQL's handling of certain Unicode character sequences in parameterised queries differs from the behaviour the Drupal DBAL assumed, allowing a crafted input to escape the parameter context and inject arbitrary SQL.

This driver-level discrepancy was not exposed by Drupal's cross-database test suite because the test cases were written against the MySQL behaviour as the reference implementation.

The under-5% PostgreSQL install base is a consequence of Drupal's hosting market: shared hosting providers, which serve the majority of Drupal sites by install count, default to MySQL or MariaDB because of lower operational cost.

PostgreSQL-backed Drupal installations are disproportionately concentrated in government, university, and enterprise deployments, which run dedicated database infrastructure. This means the vulnerable population, while small by install count, is over-represented in high-value target categories.

The five-day KEV deadline, the tightest of any flaw in the 20-29 May window, reflects CISA's observation that 48-hour mass exploitation began before most organisations could complete a standard change-management cycle. For the government and university operators running PostgreSQL-backed Drupal, the deadline was functionally a fire-drill.

Escalation

Mass exploitation within 48 hours of patch release is now the expected pattern for Drupal CVEs rated Highly Critical, following the Drupalgeddon precedent from 2014. The KEV deadline was set to match the exploitation timeline, not the other way around. The gaming and financial-services concentration suggests financially motivated actors scanning for credential and payment-data targets.

What could happen next?

Risk
Government and university operators running PostgreSQL-backed Drupal, who disproportionately use this database configuration, face a higher per-site compromise probability than the under-5% install-base figure suggests, because scanner density tracks target value rather than install frequency.
Immediate · Assessed
Meaning
The 7-point divergence between Drupal's 23/25 severity rating and CVSS 6.5 for the same CVE demonstrates that single-score vulnerability triage is insufficient for CMS platforms where deployment configuration determines exploitability, a problem Rapid7 and Qualys have both raised in published research.
Medium term · Assessed
Consequence
Organisations relying solely on CVSS-threshold patch-automation policies would have deprioritised CVE-2026-9082 against higher-scoring flaws active in the same week, including Cisco SD-WAN CVE-2026-20182 at CVSS 10.0, and may have missed the five-day deadline.
Immediate · Assessed

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: CVE-2014-3704 ('Drupalgeddon'), a SQL injection in Drupal 7's database API layer, followed the identical structural pattern: a mass exploitation wave began within seven hours of Drupal's security advisory, with automated scanning tools probing millions of Drupal installations by the end of the first day. Drupal rated it Highly Critical (25/25); CVSS gave it 7.5.

The Drupal Security Team issued a post-mortem noting that any Drupal 7 installation not patched within seven hours of the advisory should be assumed compromised. The 48-hour exploitation window for CVE-2026-9082 is slower than Drupalgeddon, partly because the PostgreSQL constraint limits the vulnerable population to under 5% of Drupal installations, reducing the density of scannable targets.

Counter-parallel: The 2021 Accellion File Transfer Appliance exploitations followed a different pattern: a small target population (roughly 300 customer installations globally), high-value targets within that population (government agencies, law firms, pharmaceutical companies), and a financially motivated threat actor (Cl0p) that curated targets rather than mass-scanning.

CVE-2026-9082's observed exploitation by gaming and financial-services sites suggests opportunistic mass-exploitation rather than curation, which reduces per-victim dwell time and increases detection probability.

Consensus view: Rapid7's vulnerability research team notes that Drupal's 25-point severity scale assesses exploitability, business impact, and deployment context together, whereas CVSS v3.1 scores only the technical vulnerability characteristics in isolation.

CVE-2026-9082 scores 23/25 on Drupal's scale (Highly Critical) but only 6.5 on CVSS v3.1 because the CVSS score reflects the requirement for authenticated access and relatively limited scope of impact per session, while Drupal's score weighs the fact that mass exploitation of a CMS database layer typically yields full content-management and user-credential access. The gap between the two scores illustrates a known tension in vulnerability triage: CVSS-based patch-prioritisation systems would rank this below dozens of higher-CVSS flaws that pose lower practical risk.

Counter-view: Qualys's TruRisk research team argues that the CVSS 6.5 score, combined with the under-5% affected install base, is precisely the correct signal for organisations outside the PostgreSQL-backed Drupal population: the Drupal severity score communicates business impact to CMS administrators, while CVSS communicates exploitability to security operations Teams, and conflating the two scales produces over-prioritisation of flaws in the minority install configuration.

On this reading, the five-day KEV deadline was calibrated to PostgreSQL-backed Drupal operators specifically, not the broader Drupal ecosystem.

Key tension: Whether vulnerability triage programmes should adopt a CMS-vendor severity scale alongside CVSS for web-platform CVEs, or whether the existence of multiple competing severity scales for the same CVE creates worse triage outcomes by requiring asset owners to know which scale applies to their deployment configuration before they can interpret the urgency signal.

Sources:The Hacker News·Tenable·CISA

Mentions:Thales →Known Exploited Vulnerabilities →Rapid7 →Imperva →Tenable →CVE-2026-9082 →PostgreSQL →Drupal →CISA →

First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

The Hacker News· 29 May 2026

Read original →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.