CVE-2026-34220

CRITICAL
2026-03-29 https://github.com/mikro-orm/mikro-orm GHSA-gwhv-j974-6fxm
9.3
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 29, 2026 - 16:00 vuln.today
CVE Published
Mar 29, 2026 - 15:44 nvd
CRITICAL 9.3

Tags

SQLi

Description

## Summary MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments. ## Impact If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed. ## Affected usage The issue occurs when untrusted objects are passed to ORM write APIs such as: - `wrap(entity).assign(userInput)` followed by `em.flush()` - `em.nativeUpdate()` - `em.nativeInsert()` - `em.create()` followed by `em.flush()` Applications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected. ## Fix The vulnerability was caused by duck-typed detection of internal ORM marker properties. The fix replaces these checks with symbol-based markers that cannot be reproduced by user input.

Analysis

SQL injection in MikroORM JavaScript ORM (versions ≤6.6.9 and ≤7.0.5) allows attackers to execute arbitrary SQL commands when specially crafted user-controlled objects are passed to query construction APIs. The vulnerability stems from duck-typed detection of internal ORM markers that attackers can replicate in malicious input objects. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Audit all Node.js applications for MikroORM dependency versions ≤6.6.9 or ≤7.0.5 using 'npm list mikroorm' or equivalent package management tools; identify which applications accept untrusted user input in write operations (wrap(), assign(), nativeUpdate(), nativeInsert(), create()). Within 7 days: Implement input validation and parameterized query patterns as interim controls; restrict direct user object binding to ORM APIs; enable database audit logging for write operations. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

47
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +46
POC: 0

Share

CVE-2026-34220 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy