Critical Drupal SQL Injection (CVE‑2026‑9082) Threatens PostgreSQL‑Backed Sites
What It Is – A newly disclosed SQL injection (CVE‑2026‑9082) in Drupal’s query‑sanitisation API allows unauthenticated attackers to inject arbitrary SQL on sites that use PostgreSQL as the database backend. The flaw can lead to data disclosure, privilege escalation and, in certain configurations, remote code execution.
Exploitability – Exploits appeared within 48 hours of the patch release on May 20 2026. Threat intel firms have logged >15 000 attempts against ~6 000 sites in 65 countries. CVSS v3.1 base score 23/25 (Critical).
Affected Products – Drupal 9/10 core (all versions prior to the May 20 patch) when configured with PostgreSQL. Estimated <5 % of all Drupal installations, but still thousands of global sites.
TPRM Impact – Organizations that rely on Drupal‑powered web portals, intranets, or public‑facing services (government agencies, universities, media outlets, gaming and financial platforms) face immediate supply‑chain risk: potential data breach, credential theft, and service disruption.
Recommended Actions –
- Deploy the May 20 Drupal security patch immediately on all Drupal instances.
- Verify the database backend; if PostgreSQL is used, confirm the patch is applied and test for successful remediation.
- Enable Web Application Firewall (WAF) rules that block the known malicious request patterns.
- Review web server and database logs for anomalous queries or failed login attempts from the last 48 hours.
- Conduct a rapid inventory of all third‑party Drupal sites in your ecosystem and prioritize patching.
- Consider temporary mitigation (e.g., read‑only database mode) for high‑risk sites while patching.