Skip to main content

MikroORM CVE-2026-44680

| EUVDEUVD-2026-31893 HIGH
SQL Injection (CWE-89)
2026-05-08 https://github.com/mikro-orm/mikro-orm GHSA-cfw5-68c4-ffqp
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:01 vuln.today
Analysis Generated
May 08, 2026 - 20:01 vuln.today
CVE Published
May 08, 2026 - 19:17 nvd
HIGH 7.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 100 npm packages depend on @mikro-orm/knex (19 direct, 82 indirect)
  • 11 npm packages depend on @mikro-orm/sql (8 direct, 3 indirect)

Ecosystem-wide dependent count for version 6.6.14 and other introduced versions.

DescriptionGitHub Advisory

Summary

MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL.

Affected APIs

The vulnerability is reachable when application code passes an attacker-influenced string to any of the following documented APIs:

  • Multi-tenant schema option - em.fork({ schema }), qb.withSchema(name), wrap(entity).setSchema(name), em.create(Cls, data, { schema }). The schema name is concatenated into the SQL identifier and never had its dialect quote character escaped.
  • em.find / qb.where JSON-property filters - em.find(Entity, { jsonCol: { [userKey]: value } }). The user-supplied JSON sub-keys cannot be validated against any metadata (JSON columns are schemaless by design), and were spliced into the SQL string literal of the JSON path expression without escaping.
  • qb.where / qb.orderBy / qb.groupBy / qb.having / qb.select keys - keys containing . or :: bypassed the structured-where metadata validator in CriteriaNode, then flowed through the same broken quoteIdentifier. Apps that forwarded raw filter keys from request input were already broken on authorization grounds (e.g. { isAdmin: true }); the SQL injection here is a defence-in-depth failure on top of that.

The vulnerability does not affect documented escape-hatch APIs (raw(), the sql tagged template, qb.raw(), em.raw()) - those are documented as accepting raw SQL and are the application's responsibility to sanitize.

Impact

  • Confidentiality - read from any table/schema the database user has access to (cross-tenant data leak in multi-tenant deployments).
  • Integrity - on dialects supporting multi-statement queries (MSSQL, MySQL with multi-statement enabled), execute additional arbitrary SQL statements (data modification, in-database privilege escalation).
  • Availability - DROP/TRUNCATE via injected statements where the database user has the privilege.

Affected dialects

All SQL dialects supported by MikroORM. The identifier-quoting bug exists in every dialect's quoteIdentifier (the dialect's own quote character - backtick, double quote, or right bracket - was not doubled when embedded in the identifier). The JSON-path bug exists in all dialects' getSearchJsonPropertyKey/quoteJsonKey.

MongoDB driver is not affected (no SQL).

Patches

  • v7: upgrade to 7.0.14 or later.
  • v6: upgrade to 6.6.14 or later.

Patches:

  • Identifier quoting: #7653 (master) / #7654 (6.x)
  • JSON-path keys: #7656 (master) / #7657 (6.x)

Workarounds

If users cannot upgrade immediately:

  • For multi-tenant apps using em.fork({ schema }) / wrap().setSchema() / qb.withSchema(): validate the schema name against a strict allowlist (e.g. ^[A-Za-z_][\w$]*$) before passing it to MikroORM.
  • For applications that pass where / orderBy filters from request input: validate every key against the entity's known properties before constructing the filter; do not pass keys containing . or :: from user input.
  • For applications that allow filtering on JSON columns from request input: validate every JSON sub-key against an allowlist (or against ^[a-zA-Z_][\w]*$) before passing it to em.find.

Credits

Reported and patched by Martin Adámek (project maintainer) during an internal security review.

AnalysisAI

SQL injection in MikroORM versions ≤7.0.13 (v7) and ≤6.6.13 (v6) allows authenticated attackers to execute arbitrary SQL queries by injecting malicious characters into schema names, JSON property filters, or query builder keys. The vulnerability stems from improper escaping of dialect-specific quote characters in identifier-quoting and JSON-path functions. Multi-tenant applications are at heightened risk of cross-tenant data leakage. Vendor-released patches are available: upgrade to 7.0.14 (v7) or 6.6.14 (v6). No public exploit identified at time of analysis, though the vulnerability was discovered during internal security review by the project maintainer.

Technical ContextAI

MikroORM is a TypeScript ORM for Node.js supporting multiple SQL databases (PostgreSQL, MySQL, MariaDB, MSSQL, SQLite). The vulnerability exists in the Platform.quoteIdentifier method and its dialect-specific overrides (PostgreSqlPlatform, MsSqlPlatform) which wrap SQL identifiers in dialect-specific quote characters (double-quotes for PostgreSQL, backticks for MySQL/MariaDB/SQLite, brackets for MSSQL). The code failed to escape embedded quote characters before concatenation-for example, a PostgreSQL identifier containing a double-quote character was not doubled per SQL standard, allowing an attacker to prematurely close the quoted context and inject arbitrary SQL. A parallel flaw existed in getSearchJsonPropertyKey/quoteJsonKey functions used for JSON path expressions in JSONB/JSON column queries. This is a classic CWE-89 (SQL Injection) failure where structured API parameters (schema names, JSON keys) were treated as identifiers but not sanitized according to SQL string-literal and identifier-quoting rules. The patches apply .replaceAll(quote, quote+quote) before wrapping identifiers, implementing proper SQL escaping per ANSI SQL-92 identifier delimited form rules.

RemediationAI

Upgrade to patched versions immediately: MikroORM v7 users upgrade to version 7.0.14 or later, v6 users upgrade to version 6.6.14 or later. Patches are available via npm (npm update @mikro-orm/sql @mikro-orm/knex) and apply fixes from GitHub pull requests #7654 (identifier quoting) and #7657 (JSON path keys) for v6, with corresponding master branch PRs #7653 and #7656 for v7. If immediate upgrade is not feasible, implement these compensating controls with noted trade-offs: For multi-tenant schema switching, validate schema names against a strict allowlist regex (^[A-Za-z_][\w$]*$) before passing to em.fork/qb.withSchema/wrap.setSchema-this prevents legitimate schema names containing special characters and may break existing functionality if schema names violate this pattern. For query builder usage with user input, validate all where/orderBy/groupBy/having/select keys against entity metadata properties before constructing filters, rejecting any keys containing '.' or '::' characters-this blocks navigation properties and type-casting operators, potentially breaking legitimate queries using these features. For JSON column filtering, validate all JSON sub-keys against an allowlist or the same strict regex before passing to em.find-this restricts JSON property names to ASCII alphanumeric identifiers, which may be insufficient for applications using Unicode or special characters in JSON structures. These workarounds reduce attack surface but impose functional limitations; vendor patching is strongly preferred. Verify patch application by reviewing node_modules/@mikro-orm/*/src/platforms/Platform.ts for the .replaceAll(quote, quote+quote) escaping logic introduced in the fix commits. Advisory URLs: https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp, https://github.com/advisories/GHSA-cfw5-68c4-ffqp.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-44680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy