whatisgithub

What is drupal-sa-core-2026-004-lab?

dinosn/drupal-sa-core-2026-004-lab — explained in plain English

Analysis updated 2026-05-18

4PythonAudience · researcherComplexity · 3/5Setup · moderate

In one sentence

A research lab for reproducing and detecting a critical 2026 SQL injection vulnerability in Drupal core when running on PostgreSQL.

Mindmap

mindmap
  root((drupal-sa-lab))
    What it does
      Reproduces CVE
      Docker test lab
      Detection script
    Vulnerability
      SQL injection
      JSON API filters
      PostgreSQL only
    Tech stack
      Python
      Docker
      Drupal PostgreSQL
    Use cases
      Security research
      Log scanning
      Defender detection

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Reproduce the Drupal core SQL injection vulnerability in an isolated Docker lab.

USE CASE 2

Run a detection script to check whether a Drupal site running PostgreSQL is vulnerable.

USE CASE 3

Study a real world SQL injection bug through line by line code analysis.

USE CASE 4

Scan server logs for signs that someone has already probed a site for this vulnerability.

What is it built with?

PythonDockerPostgreSQLDrupal

How does it compare?

dinosn/drupal-sa-core-2026-004-labadeliox/klein-head-swapats4321/ragit
Stars444
LanguagePythonPythonPython
Setup difficultymoderatemoderatemoderate
Complexity3/53/52/5
Audienceresearcherdesignerdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Needs Docker to run the vulnerable Drupal and PostgreSQL lab environment.

So what is it?

Drupal is a widely-used open-source content management system that powers a large number of websites and web applications. In May 2026, a security vulnerability rated highly critical (20 out of 25) was disclosed in Drupal core, affecting installations that use PostgreSQL as their database. This repository is a self-contained research lab for understanding, reproducing, and detecting that vulnerability in a controlled environment. The vulnerability is a SQL injection, a class of bug where an attacker can insert their own database commands into a query the application constructs. In Drupal's case, the bug is in a piece of code that builds database queries from filter conditions passed in through a web API called JSON:API. When a user sends a request with an associative array as the value in a filter, the array's keys get concatenated directly into the SQL placeholder names without being sanitized. An attacker who controls those keys can break out of the placeholder format and inject arbitrary SQL into the WHERE clause of the query. The fix was a single line: wrapping the array with a function that strips its keys and forces them to be sequential integers, which cannot be used as SQL injection. The repository provides a Docker-based lab that spins up a vulnerable Drupal 11.3.9 instance with PostgreSQL in about five minutes. A Python detection script then probes the site by sending requests with special characters in filter keys and checks whether the server returns an error message that proves the bug is present. The script is a vulnerability detector, not a full data-extraction exploit, it tells you whether a site is vulnerable but does not extract data from the database. The affected versions span most modern Drupal releases from 8.9 through 11.3, and only those running PostgreSQL are exploitable through this specific code path. MySQL and SQLite backends take a different code path and are not affected. The fix has been backported to all supported branches. The repository also includes a line-by-line code analysis, captured evidence from a vulnerable test run, and detection guidance for defenders who want to scan their logs for signs that someone has already probed their site.

Copy-paste prompts

Prompt 1
Help me spin up the Docker lab for this Drupal SQL injection vulnerability.
Prompt 2
Explain how the unsanitized JSON:API filter keys lead to SQL injection in Drupal.
Prompt 3
Show me how the Python detection script checks if a site is vulnerable.
Prompt 4
What should I look for in my server logs to detect probing for this vulnerability?

Frequently asked questions

What is drupal-sa-core-2026-004-lab?

A research lab for reproducing and detecting a critical 2026 SQL injection vulnerability in Drupal core when running on PostgreSQL.

What language is drupal-sa-core-2026-004-lab written in?

Mainly Python. The stack also includes Python, Docker, PostgreSQL.

How hard is drupal-sa-core-2026-004-lab to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is drupal-sa-core-2026-004-lab for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.