Platform
nodejs
Component
drizzle-orm
Fixed in
0.45.3
1.0.1
0.45.2
CVE-2026-39356 describes a SQL Injection vulnerability found in the drizzle-orm library. This flaw arises from improper escaping of quoted SQL identifiers, allowing attackers to inject malicious SQL code. The vulnerability impacts versions of drizzle-orm prior to 0.45.2 and can be mitigated by upgrading to the patched version.
An attacker exploiting this vulnerability can inject arbitrary SQL queries into the database. This could lead to unauthorized data access, modification, or deletion. Depending on the database permissions and application logic, an attacker might be able to escalate privileges, gain control of the database server, or even compromise the entire application. The potential impact is significant, especially in applications that handle sensitive data or critical business processes. Successful exploitation could result in data breaches, financial losses, and reputational damage.
This vulnerability was publicly disclosed on 2026-04-08. Currently, there are no known active exploitation campaigns targeting this specific vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39356 is to upgrade to drizzle-orm version 0.45.2 or later. If upgrading immediately is not feasible, consider implementing input validation and sanitization on any user-supplied data used in SQL identifier construction. While not a complete fix, using parameterized queries or prepared statements can help prevent SQL injection attacks. Monitor database logs for unusual activity and consider implementing a Web Application Firewall (WAF) with SQL injection protection rules.
Update to version 0.45.2 or 1.0.0-beta.20 or higher to mitigate the SQL injection vulnerability. The update corrects how escaped SQL identifiers are handled, preventing the injection of malicious code. Review your code to identify any use of `sql.identifier()` or `.as()` with user-provided data and ensure that it is properly validated.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39356 is a SQL Injection vulnerability in the drizzle-orm library, allowing attackers to inject malicious SQL code by manipulating identifiers.
You are affected if you are using drizzle-orm versions prior to 0.45.2 and your application uses user-supplied data in SQL identifier construction.
Upgrade to drizzle-orm version 0.45.2 or later. Implement input validation and sanitization as a temporary workaround.
Currently, there are no known active exploitation campaigns targeting this vulnerability, and no public PoC code is available.
Refer to the official drizzle-orm release notes and security advisories on their GitHub repository for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.