## https://sploitus.com/exploit?id=458CE696-FE39-500F-9131-2E24B1BC2E12
# CVE-2026-9082 / Drupal SA-CORE-2026-004 Proof of Concept
> **Disclaimer: This Proof-of-Concept is for educational and research purposes only. Do not use this software against any system you do not own or have explicit permission to test. The author assumes no liability for misuse or damage caused by this project.**
---
## Overview
A Proof-of-Concept (`poc.py`) of [CVE-2026-9082](https://nvd.nist.gov/vuln/detail/CVE-2026-9082) (Drupal [SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004)), a critical SQL injection vulnerability in Drupal core that may allow an attacker to submit arbitrary SQL queries when Drupal is configured to use a PostgreSQL database backend.
It stems from Drupal core's PostgreSQL entity-query condition translator, where array keys in an entity query `IN` filter can be manipulated by an attacker to inject arbitrary SQL fragments.
This PoC interacts with Drupal’s JSON:API layer, injecting a malformed SQL condition that results in an HTTP 500 Internal Server Error in vulnerable versions, while patched versions correctly sanitize query keys and prevent the exception.
---
## Vulnerability Information
- **CVE ID:** CVE-2026-9082
- **SA-CORE ID:** SA-CORE-2026-004
- **CVSS Score:** 6.5 (MEDIUM)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- **Category:** SQL injection
- **Impact:** Authentication bypass, information disclosure, privilege escalation, remote code execution (depending on configuration)
- **Affected Versions (Drupal core):**
- `>= 8.9.0, = 10.5.0, = 10.6.0, = 11.0.0, = 11.2.0, = 11.3.0, < 11.3.10`
## Reproduction lab
Simply run
```
make
```
We provide a docker-compose reproduction lab using :
* Vulnerable version: Drupal 10.4.9 + PostgreSQL 16
* Patched version: Drupal 11.2.12 + PostgreSQL 16
Both setups come with:
* JSON:API enabled and publicly accessible at `/jsonapi/node/article` without authentication (common configuration in many Drupal sites)
* A single `article` node to ensure that `/jsonapi/node/article` filtering realistically works
The site files and DB content is already prepared in `sites.tar.gz` and `init.sql.gz`
At the time of writing, Drupal 11.2.12 isn't available yet on Docker Hub, so we build a custom image installed with composer