What Happened
Drupal released emergency security updates across all supported branches — 11.3, 11.2, 10.6, and 10.5 — on May 20, 2026 to address CVE-2026-9082, a highly critical SQL injection vulnerability in Drupal’s core database abstraction API. The Drupal Security Team rated the issue 20 out of 25 on its severity scale and classified it as highly critical.
The flaw affects sites running PostgreSQL as their database backend. Attackers send specially crafted HTTP requests that trigger arbitrary SQL injection without any authentication or prior account access. Successful exploitation leads to information disclosure and, in many configurations, privilege escalation and remote code execution. The Drupal Security Team pre-announced the release on May 18, warning administrators that exploits arrive within hours or days of a patch drop — and Bitdefender confirmed drive-by attacks began before the May 20 patch window closed.
The updates also include security fixes for the Symfony and Twig components bundled with Drupal, coordinated with upstream project releases. Sites not using PostgreSQL are not exposed to the SQL injection path, but the Symfony and Twig fixes apply to all supported configurations.
Why This Matters for Canadian Organizations
Drupal is the content management system of choice for a large portion of Canada’s public sector web presence. The Government of Canada’s open source CMS guidelines have historically favoured Drupal, and it powers sites across federal departments, Crown corporations, provincial ministries, municipalities, universities, hospitals, and public health agencies. Many of these deployments use PostgreSQL for its licensing, data integrity, and compatibility characteristics in regulated environments.
An unauthenticated SQL injection flaw on a government or healthcare site is not an abstract risk. Attackers who exploit CVE-2026-9082 on a PostgreSQL-backed site with standard Drupal permissions achieve direct read access to the database — which contains user credentials, private file references, submitted forms, and content published but not yet public. In higher-risk configurations, the path to remote code execution is short. Municipalities running Drupal for permitting systems, public health agencies using it for patient-facing portals, and universities hosting research data on PostgreSQL-backed Drupal instances face the greatest exposure.
Under PIPEDA, any organization whose Drupal site stores personal information is obligated to notify the Office of the Privacy Commissioner if personal data is accessed or exfiltrated. Given the drive-by exploitation confirmed by Bitdefender, any unpatched PostgreSQL-backed Drupal site should be treated as potentially compromised from May 20 onward until forensic review confirms otherwise.
What to Do
Update immediately to Drupal 11.3.x, 11.2.x, 10.6.x, or 10.5.x — the patched releases for each respective branch. Check the official Drupal security advisory SA-CORE-2026-004 at drupal.org for the exact version numbers.
Review web server access logs for anomalous SQL-pattern requests targeting your Drupal installation from May 20 onward. Look for unexpected database query patterns in application logs. If your site stores personal information and you cannot confirm the absence of a breach, begin PIPEDA breach assessment procedures. Restrict PostgreSQL database permissions to the minimum required for Drupal operation until the patch is confirmed applied.
