Error‑Based SQL Injection Discovered in Drupal Core 10.5.5 (CVE‑2026‑9082) Exposes Database Details
What Happened – A proof‑of‑concept exploit (EDB‑ID 52608) demonstrates an error‑based SQL injection in Drupal Core 10.5.5’s JSON:API endpoint when PostgreSQL is used. By manipulating the filter[my_filter][condition][value] parameter, an attacker can trigger a database error that returns the result of arbitrary SQL sub‑queries, allowing information disclosure such as the PostgreSQL version.
Why It Matters for TPRM –
- Drupal powers thousands of public‑facing websites and intranets; a vulnerable instance can leak internal data to unauthenticated actors.
- The flaw resides in a core component (JSON:API) that many third‑party integrations rely on, expanding the attack surface across supply‑chain relationships.
- Exploitation does not require authentication, making it a low‑effort, high‑impact vector for reconnaissance and further compromise.
Who Is Affected – Organizations that run Drupal 10.5.5 (or earlier unpatched versions) on any stack (Docker, Apache, Nginx, etc.), especially those exposing JSON:API to the internet. Typical sectors include technology/SaaS, retail/e‑commerce, government, education, and media.
Recommended Actions –
- Immediately upgrade to Drupal 10.5.6 or later, where the issue is patched.
- If upgrade is not possible, block or restrict access to the
/jsonapi/*endpoints to trusted IP ranges. - Review web‑application firewall (WAF) rules for the specific payload pattern (
filter[my_filter][condition][value][0||CAST(). - Conduct a targeted scan for the CVE‑2026‑9082 signature on all Drupal instances in the vendor ecosystem.
Technical Notes – The vulnerability is an error‑based SQL injection (CVE‑2026‑9082) affecting the JSON:API module when PostgreSQL is the backend. The exploit injects a crafted filter key that forces the database to evaluate a sub‑query and return the error message, leaking data such as SELECT version(). No CVE‑2026‑9082 patches were available at the time of disclosure. Source: Exploit‑DB 52608