The 5% Problem
CVE-2026-9082 is a vulnerability in Drupal's database abstraction layer that enables unauthenticated information disclosure, privilege escalation, and remote code execution. NIST rates it 'highly critical' with a CMSS score of 20 out of 25. There is one mitigating factor: it only affects Drupal sites running PostgreSQL as their database backend. Drupal developers estimate that less than 5% of Drupal installations use PostgreSQL.
Five percent sounds small. It is not. Drupal powers government websites (whitehouse.gov was built on Drupal), university systems, enterprise content platforms, and large-scale media operations. The organizations that choose PostgreSQL over MySQL for their Drupal deployment are typically the ones that chose PostgreSQL for its reliability, its ACID compliance, its advanced query capabilities — in other words, the organizations running the most demanding, most critical Drupal installations. The 5% that uses PostgreSQL is the 5% with the most to lose.
The Attack Chain
The vulnerability exists in Drupal's database abstraction layer — the code that translates Drupal's database queries into SQL for the underlying database engine. When the backend is PostgreSQL, certain query patterns can be manipulated by unauthenticated attackers to extract information, escalate privileges, and ultimately execute arbitrary code on the server. No login required. No special configuration needed beyond the PostgreSQL backend itself.
This is particularly concerning because Drupal's database abstraction layer is supposed to be a security boundary — it exists precisely to prevent SQL injection by separating query logic from data. CVE-2026-9082 demonstrates that the abstraction layer itself can be the vulnerability. The defense became the attack surface.
The Drupal Security Pattern
Drupal has a better security reputation than WordPress — and the data supports it. Drupal's WebPulse security score is 70.0, nearly double WordPress's 38.0. Drupal has an active security team, a structured advisory process, and a history of transparent disclosure. But Drupal also appears in CISA's Known Exploited Vulnerabilities (KEV) catalog, and CVE-2026-9082 follows a pattern of high-severity Drupal vulnerabilities (Drupalgeddon in 2014, Drupalgeddon 2 in 2018) that, while less frequent than WordPress CVEs, tend to be more severe when they occur.
The lesson is consistent across every CMS this month: Ghost (CVSS 9.4), Craft CMS (CVSS 7.7), and now Drupal (CMSS 20/25). Modern architecture does not prevent critical vulnerabilities. It reduces their frequency. But when they occur, they affect the same category of high-value targets that chose the 'more secure' platform specifically because they needed security.
