dinosn/drupal-sa-core-2026-004-lab — explained in plain English
Analysis updated 2026-05-18
Reproduce the Drupal core SQL injection vulnerability in an isolated Docker lab.
Run a detection script to check whether a Drupal site running PostgreSQL is vulnerable.
Study a real world SQL injection bug through line by line code analysis.
Scan server logs for signs that someone has already probed a site for this vulnerability.
| dinosn/drupal-sa-core-2026-004-lab | adeliox/klein-head-swap | ats4321/ragit | |
|---|---|---|---|
| Stars | 4 | 4 | 4 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | moderate | moderate |
| Complexity | 3/5 | 3/5 | 2/5 |
| Audience | researcher | designer | developer |
Figures from each repo's GitHub metadata at analysis time.
Needs Docker to run the vulnerable Drupal and PostgreSQL lab environment.
Drupal is a widely-used open-source content management system that powers a large number of websites and web applications. In May 2026, a security vulnerability rated highly critical (20 out of 25) was disclosed in Drupal core, affecting installations that use PostgreSQL as their database. This repository is a self-contained research lab for understanding, reproducing, and detecting that vulnerability in a controlled environment. The vulnerability is a SQL injection, a class of bug where an attacker can insert their own database commands into a query the application constructs. In Drupal's case, the bug is in a piece of code that builds database queries from filter conditions passed in through a web API called JSON:API. When a user sends a request with an associative array as the value in a filter, the array's keys get concatenated directly into the SQL placeholder names without being sanitized. An attacker who controls those keys can break out of the placeholder format and inject arbitrary SQL into the WHERE clause of the query. The fix was a single line: wrapping the array with a function that strips its keys and forces them to be sequential integers, which cannot be used as SQL injection. The repository provides a Docker-based lab that spins up a vulnerable Drupal 11.3.9 instance with PostgreSQL in about five minutes. A Python detection script then probes the site by sending requests with special characters in filter keys and checks whether the server returns an error message that proves the bug is present. The script is a vulnerability detector, not a full data-extraction exploit, it tells you whether a site is vulnerable but does not extract data from the database. The affected versions span most modern Drupal releases from 8.9 through 11.3, and only those running PostgreSQL are exploitable through this specific code path. MySQL and SQLite backends take a different code path and are not affected. The fix has been backported to all supported branches. The repository also includes a line-by-line code analysis, captured evidence from a vulnerable test run, and detection guidance for defenders who want to scan their logs for signs that someone has already probed their site.
A research lab for reproducing and detecting a critical 2026 SQL injection vulnerability in Drupal core when running on PostgreSQL.
Mainly Python. The stack also includes Python, Docker, PostgreSQL.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.