{"uuid": "6d3c44bd-9810-46b7-9e9b-88a1a9d60323", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-9082", "type": "seen", "source": "https://gist.github.com/alon710/f82b2c773fad7c904278334fb63b3ad5", "content": "# CVE-2026-9082: CVE-2026-9082: Unauthenticated SQL Injection in Drupal Core PostgreSQL Driver\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-05-20\n> **Full Report:** https://cvereports.com/reports/CVE-2026-9082\n\n## Summary\nDrupal Core contains a highly critical SQL injection vulnerability (CVE-2026-9082) within its Database Abstraction API. The flaw specifically affects installations using the PostgreSQL database backend, allowing unauthenticated attackers to execute arbitrary SQL commands via crafted array keys in filter parameters.\n\n## TL;DR\nUnauthenticated SQL injection in Drupal Core's PostgreSQL driver allows full database compromise and potential remote code execution via crafted JSON:API or search queries.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-89\n- **Attack Vector**: Network (Unauthenticated)\n- **CVSS v3.1 Score**: 6.5\n- **Drupal Risk Score**: 20/25 (Highly Critical)\n- **Exploit Status**: PoC Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Drupal Core 8.9.x to 10.4.9 (with PostgreSQL)\n- Drupal Core 10.5.0 to 10.5.9 (with PostgreSQL)\n- Drupal Core 10.6.0 to 10.6.8 (with PostgreSQL)\n- Drupal Core 11.0.0 to 11.1.9 (with PostgreSQL)\n- Drupal Core 11.2.0 to 11.2.11 (with PostgreSQL)\n- Drupal Core 11.3.0 to 11.3.9 (with PostgreSQL)\n- **Drupal Core**: 8.9.0 - 10.4.9 (Fixed in: `10.4.10`)\n- **Drupal Core**: 10.5.0 - 10.5.9 (Fixed in: `10.5.10`)\n- **Drupal Core**: 10.6.0 - 10.6.8 (Fixed in: `10.6.9`)\n- **Drupal Core**: 11.0.0 - 11.1.9 (Fixed in: `11.1.10`)\n- **Drupal Core**: 11.2.0 - 11.2.11 (Fixed in: `11.2.12`)\n- **Drupal Core**: 11.3.0 - 11.3.9 (Fixed in: `11.3.10`)\n\n## Mitigation\n\n- Apply official Drupal Core security patches immediately\n- Revoke PostgreSQL SUPERUSER privileges from the Drupal database user\n- Deploy WAF rules to filter PostgreSQL-specific syntax from incoming requests\n\n**Remediation Steps:**\n1. Identify the current Drupal Core version via the Composer lockfile\n2. Run `composer update drupal/core drupal/core-recommended` to install the patched release\n3. Verify the PostgreSQL database user permissions using `\\du` in the psql console\n4. Configure SIEM and WAF to monitor for `pg_sleep` and `COPY FROM PROGRAM` patterns\n\n## References\n\n- [Official Drupal Advisory (SA-CORE-2026-004)](https://www.drupal.org/sa-core-2026-004)\n- [CVE-2026-9082 at CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-9082)\n- [NVD Record](https://nvd.nist.gov/vuln/detail/CVE-2026-9082)\n- [GitHub PoC Repository (lysophavin18)](https://github.com/lysophavin18/cve-2026-9082)\n- [GitHub PoC Repository (HORKimhab)](https://github.com/HORKimhab/CVE-2026-9082)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-9082) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-21T07:10:50.000000Z"}