Plattform
python
Komponente
ormar
Behoben in
0.9.10
0.23.0
CVE-2026-26198 describes a critical SQL Injection vulnerability discovered in Ormar ORM. This flaw allows attackers to inject malicious SQL code by manipulating column names passed to aggregate functions like min() and max(). Versions of Ormar ORM prior to 0.23.0 are affected. A patch has been released to address this vulnerability.
The SQL Injection vulnerability in Ormar ORM poses a significant risk. An attacker can craft malicious input that, when processed by the ORM, results in the execution of arbitrary SQL commands against the underlying database. This could lead to unauthorized access to sensitive data, including user credentials, financial information, or other confidential records. Depending on the database permissions, an attacker might even be able to modify or delete data, or gain control of the database server itself. The lack of input validation on column names within aggregate functions makes this exploitation relatively straightforward.
This vulnerability was publicly disclosed on 2026-02-23. No known public exploits or active campaigns have been reported at the time of writing. The severity is rated CRITICAL (CVSS 9.8) indicating a high probability of exploitation if left unaddressed. No KEV listing is currently available.
Applications utilizing Ormar ORM for database interaction are at risk. This includes Python web applications, backend services, and any system where user-supplied data is directly incorporated into SQL queries without proper sanitization. Projects relying on older, unpatched versions of Ormar ORM are particularly vulnerable.
• python / server:
import sqlalchemy
from ormar import Model, ORM, Field, Integer, String
# Example vulnerable query
class MyModel(Model):
id = Field(Integer, primary_key=True)
name = Field(String)
engine = sqlalchemy.create_engine('sqlite:///:memory:')
ormar_orm = ORM(engine)
# Vulnerable code - user input directly into min() function
user_input = "' UNION SELECT 1, 2, 3 --"
query = MyModel.select().order_by(MyModel.id.min(user_input))
result = normar_orm.db.execute(query)
# This query is vulnerable to SQL injection• generic web: Inspect application logs for unusual SQL query patterns or errors related to aggregate functions. Look for queries containing unexpected characters or keywords that might indicate an injection attempt.
disclosure
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-26198 is to upgrade to Ormar ORM version 0.23.0 or later, which includes the necessary fixes. If an immediate upgrade is not feasible, consider implementing input validation and sanitization on all user-supplied data used in SQL queries. While not a complete solution, using parameterized queries or prepared statements can help prevent SQL Injection attacks. Carefully review and restrict database user permissions to limit the potential impact of a successful attack. After upgrading, verify the fix by attempting to inject SQL code into aggregate functions and confirming that the queries are properly sanitized.
Aktualisieren Sie die Ormar-Bibliothek auf Version 0.23.0 oder höher. Diese Version behebt die (SQL Injection) Schwachstelle in den Aggregatfunktionen min() und max(). Das Update verhindert, dass nicht autorisierte Benutzer sensible Informationen aus der Datenbank lesen können.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-26198 is a critical SQL Injection vulnerability affecting Ormar ORM versions up to 0.9.9. It allows attackers to inject malicious SQL code through crafted strings in aggregate functions, potentially leading to data breaches.
You are affected if you are using Ormar ORM versions 0.9.9 or earlier. Upgrade to version 0.23.0 or later to resolve the vulnerability.
The recommended fix is to upgrade Ormar ORM to version 0.23.0 or later. As a temporary workaround, implement strict input validation and sanitization on all user-supplied data used in SQL queries.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation if a proof-of-concept is released.
Refer to the Ormar project's official repository and release notes for the advisory and details on the fix: [https://github.com/Ormar/ormar](https://github.com/Ormar/ormar)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.