Platform
nodejs
Component
node.js
Fixed in
6.6.11
7.0.1
6.6.11
7.0.7
CVE-2026-34220 describes a SQL Injection vulnerability discovered in MikroORM, a TypeScript ORM for Node.js. This flaw allows attackers to inject arbitrary SQL queries by manipulating specially crafted objects interpreted as raw SQL fragments. The vulnerability affects versions 7.0.0 through 7.0.6 and has been resolved in version 6.6.10. Immediate patching is recommended.
Successful exploitation of CVE-2026-34220 could allow an attacker to bypass application security controls and directly manipulate the underlying database. This could lead to unauthorized data access, modification, or deletion. Depending on the database schema and application logic, an attacker might be able to extract sensitive information like user credentials, financial data, or personally identifiable information (PII). The impact is particularly severe if the database contains critical business data or is used to store sensitive user information. While the specific attack vector requires crafting malicious objects, the potential for widespread data compromise makes this a high-priority vulnerability.
CVE-2026-34220 was publicly disclosed on 2026-03-31. There is currently no indication of active exploitation in the wild, but the CRITICAL severity and the potential for easy exploitation warrant immediate attention. No Proof of Concept (PoC) code has been publicly released as of this writing. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The primary mitigation for CVE-2026-34220 is to upgrade MikroORM to version 6.6.10 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on all user-supplied data used in SQL queries. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can provide an additional layer of defense. Review application code for any instances where user-controlled data is directly incorporated into SQL queries, and ensure proper escaping or parameterization is used. After upgrading, verify the fix by attempting to inject a simple SQL query through a crafted object and confirming that it is properly sanitized and does not execute.
Update MikroORM to version 6.6.10 or higher, or to version 7.0.6 or higher, as appropriate. This corrects the SQL injection vulnerability when interpreting specially crafted objects as raw SQL query fragments.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34220 is a critical vulnerability in MikroORM versions 7.0.0–7.0.6 allowing attackers to inject malicious SQL queries through crafted objects, potentially leading to data breaches.
You are affected if your Node.js application uses MikroORM versions 7.0.0 through 7.0.6. Versions 6.6.10 and later are not affected.
Upgrade MikroORM to version 6.6.10 or later. Implement input validation and sanitization as a temporary workaround if immediate patching is not possible.
There is currently no indication of active exploitation in the wild, but the CRITICAL severity warrants immediate attention.
Refer to the official MikroORM security advisory for detailed information and updates: [https://mikro-orm.io/security/CVE-2026-34220](https://mikro-orm.io/security/CVE-2026-34220)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.