Drupal JSONAPI SQL Injection

medium Web App Scanning Plugin ID 115251

Language:

Synopsis

Drupal JSONAPI SQL Injection

Description

Drupal versions 8.9.x, 9.x, 10.4.0 < 10.4.10, 10.5.0 < 10.5.10, 10.6.0 < 10.6.9, 11.0.0 < 11.1.10, 11.2.0 < 11.2.12 and 11.3.0 < 11.3.10 suffer from a SQL injection vulnerability in the database abstraction API. An unauthenticated, remote attacker can send specially crafted requests to perform arbitrary SQL injection on PostgreSQL-based sites, resulting in information disclosure, and in some cases privilege escalation or remote code execution.

Solution

Upgrade to Drupal 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, 11.3.10 or later. Patches are available for Drupal 8.9 and 9.5.

See Also

https://www.drupal.org/sa-core-2026-004

Plugin Details

Severity: Medium

ID: 115251

Type: Check Based

Family: Component Vulnerability

Published: 5/22/2026

Updated: 5/22/2026

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-9082

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS Score Source: CVE-2026-9082

Vulnerability Information

CPE: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/20/2026

Vulnerability Publication Date: 5/18/2026

Reference Information

CVE: CVE-2026-9082

CWE: 89

OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6, 2025-A5, 2025-A6

WASC: SQL Injection

CAPEC: 108, 109, 110, 470, 66, 7

DISA STIG: APSC-DV-002540, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.3.4

PCI-DSS: 3.2-6.2, 3.2-6.5.1