ywh-jfellus/CVE-2026-9082

# CVE-2026-9082 / Drupal SA-CORE-2026-004 Proof of Concept ## Overview A Proof-of-Concept (`poc.py`) of [CVE-2026-9082](https://nvd.nist.gov/vuln/detail/CVE-2026-9082) (Drupal [SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004)), a critical SQL injection vulnerability in Drupal core that may allow an attacker to submit arbitrary SQL queries when Drupal is configured to use a PostgreSQL database backend. It stems from Drupal core's PostgreSQL entity-query condition translator, where array keys in an entity query `IN` filter can be manipulated by an attacker to inject arbitrary SQL fragments. This PoC interacts with Drupal’s JSON:API layer, injecting a malformed SQL condition that results in an HTTP 500 Internal Server Error in vulnerable versions, while patched versions correctly sanitize query keys and prevent the exception. ## Vulnerability Information - **CVE ID:** CVE-2026-9082 - **SA-CORE ID:** SA-CORE-2026-004 - **CVSS Score:** 6.5 (MEDIUM) - **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N - **Category:** SQL injection - **Impact:** Authentication bypass, information disclosure, privilege escalation, remote code execution (depending on configuration) - **Affected Versions (Drupal core):** - `>= 8.9.0, < 10.4.10` - `>= 10.5.0, < 10.5.10` - `>= 10.6.0, < 10.6.9` - `>= 11.0.0, < 11.1.10` - `>= 11.2.0, < 11.2.12` - `>= 11.3.0, < 11.3.10` ## Reproduction lab Simply run make We provide a docker-compose reproduction lab using : * Vulnerable version: Drupal 10.4.9 + PostgreSQL 16 * Patched version: Drupal 11.2.12 + PostgreSQL 16 Both setups come with: * JSON:API enabled and publicly accessible at `/jsonapi/node/article` without authentication (common configuration in many Drupal sites) * A single `article` node to ensure that `/jsonapi/node/article` filtering realistically works The site files and DB content is already prepared in `sites.tar.gz` and `init.sql.gz` At the time of writing, Drupal 11.2.12 isn't available yet on Docker Hub, so we build a custom image installed with composer