Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
29MAY

Drupal SQL flaw hits PostgreSQL sites

3 min read
14:17UTC

Drupal rated CVE-2026-9082 Highly Critical at 23 out of 25; attackers logged 15,000 attempts within 48 hours, yet the flaw touches under 5 per cent of installs.

TechnologyDeveloping
Key takeaway

Drupal's fastest patch deadline covered under 5 per cent of installs, separating KEV urgency from actual exposure.

Drupal rated its own flaw "Highly Critical" at 23 out of 25, a SQL injection in the content-management system's database-abstraction layer carrying CVE-2026-9082 at CVSS 6.5 1. SQL injection works by smuggling malicious input into a database query. The patch landed around Wednesday 20 May; CISA added it to KEV on Friday 22 May with a five-day federal deadline of Wednesday 27 May, the tightest of the window 2.

The flaw is PostgreSQL only, and PostgreSQL-backed Drupal is under 5 per cent of the install base, which is the calibration point a buyer needs. The Drupal severity rating measures how bad the bug is where it bites; it says nothing about how many installs it can reach. An asset owner who triages purely on the KEV deadline will over-rotate on a flaw that cannot touch 95 per cent of their Drupal estate, while the owner who knows which database backs each site can stand most of them down. KEV inclusion confirms exploitation; the risk calculation still belongs to whoever knows the backend.

Imperva, the Thales-owned application-security firm, logged more than 15,000 attack attempts against roughly 6,000 sites across 65 countries within 48 hours, with gaming and financial-services sites taking about half 3. The catalogue itself grew from 1,585 entries a fortnight earlier to 1,606 in this window , a velocity that the proposed CISA cuts have not slowed and that makes exposure-aware triage, not deadline proximity, the only sustainable filter.

Deep Analysis

In plain English

Drupal is a website-building platform used by governments, universities, and large companies to publish content online. It runs on a variety of underlying database systems that store all the site's data, text, and user records. A security flaw, given the label CVE-2026-9082, affects only Drupal installations that use PostgreSQL as their database, which is a minority of all Drupal sites. The flaw lets attackers inject malicious database commands through normal website forms, potentially reading or altering site data without needing an account. The US government's cyber agency CISA listed this flaw as requiring urgent action on 22 May 2026, with a five-day deadline. Within 48 hours of the flaw becoming public, security researchers at Imperva observed over 15,000 attack attempts against around 6,000 websites in 65 countries. The attacks hit gaming and financial-services sites hardest. Organisations running government websites on Drupal with PostgreSQL databases are among the most exposed, even though they represent a small fraction of all Drupal installations.

Deep Analysis
Root Causes

Drupal's database-abstraction layer (DBAL) wraps database queries to make Drupal portable across MySQL, MariaDB, PostgreSQL, and SQLite. The SQL injection in CVE-2026-9082 arises from a parameter-quoting inconsistency in the PostgreSQL driver: PostgreSQL's handling of certain Unicode character sequences in parameterised queries differs from the behaviour the Drupal DBAL assumed, allowing a crafted input to escape the parameter context and inject arbitrary SQL.

This driver-level discrepancy was not exposed by Drupal's cross-database test suite because the test cases were written against the MySQL behaviour as the reference implementation.

The under-5% PostgreSQL install base is a consequence of Drupal's hosting market: shared hosting providers, which serve the majority of Drupal sites by install count, default to MySQL or MariaDB because of lower operational cost.

PostgreSQL-backed Drupal installations are disproportionately concentrated in government, university, and enterprise deployments, which run dedicated database infrastructure. This means the vulnerable population, while small by install count, is over-represented in high-value target categories.

The five-day KEV deadline, the tightest of any flaw in the 20-29 May window, reflects CISA's observation that 48-hour mass exploitation began before most organisations could complete a standard change-management cycle. For the government and university operators running PostgreSQL-backed Drupal, the deadline was functionally a fire-drill.

Escalation

Mass exploitation within 48 hours of patch release is now the expected pattern for Drupal CVEs rated Highly Critical, following the Drupalgeddon precedent from 2014. The KEV deadline was set to match the exploitation timeline, not the other way around. The gaming and financial-services concentration suggests financially motivated actors scanning for credential and payment-data targets.

What could happen next?
  • Risk

    Government and university operators running PostgreSQL-backed Drupal, who disproportionately use this database configuration, face a higher per-site compromise probability than the under-5% install-base figure suggests, because scanner density tracks target value rather than install frequency.

    Immediate · Assessed
  • Meaning

    The 7-point divergence between Drupal's 23/25 severity rating and CVSS 6.5 for the same CVE demonstrates that single-score vulnerability triage is insufficient for CMS platforms where deployment configuration determines exploitability, a problem Rapid7 and Qualys have both raised in published research.

    Medium term · Assessed
  • Consequence

    Organisations relying solely on CVSS-threshold patch-automation policies would have deprioritised CVE-2026-9082 against higher-scoring flaws active in the same week, including Cisco SD-WAN CVE-2026-20182 at CVSS 10.0, and may have missed the five-day deadline.

    Immediate · Assessed
First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

The Hacker News· 29 May 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.