CVE-2026-27953

{"id": "CVE-2026-27953", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-19T21:17:09.573", "references": [{"url": "https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ormar-orm/ormar/releases/tag/0.23.1", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-915"}]}], "descriptions": [{"lang": "en", "value": "ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting \"__pk_only__\": true into a JSON request body. By injecting \"__pk_only__\": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1."}, {"lang": "es", "value": "ormar es un mini ORM as\u00edncrono para Python. Las versiones 0.23.0 e inferiores son vulnerables a un bypass de validaci\u00f3n de Pydantic a trav\u00e9s del constructor del modelo, permitiendo a cualquier usuario no autenticado omitir toda la validaci\u00f3n de campos inyectando '__pk_only__': true en un cuerpo de solicitud JSON. Al inyectar '__pk_only__': true en un cuerpo de solicitud JSON, un atacante no autenticado puede omitir toda la validaci\u00f3n de campos y persistir datos no validados directamente en la base de datos. Una inyecci\u00f3n de par\u00e1metro secundaria __excluded__ utiliza el mismo patr\u00f3n para anular selectivamente campos de modelo arbitrarios (p. ej., correo electr\u00f3nico o rol) durante la construcci\u00f3n. Esto afecta el patr\u00f3n can\u00f3nico de integraci\u00f3n de FastAPI de ormar recomendado en su documentaci\u00f3n oficial, permitiendo la escalada de privilegios, violaciones de integridad de datos y bypass de l\u00f3gica de negocio en cualquier aplicaci\u00f3n que utilice ormar.Model directamente como par\u00e1metro del cuerpo de la solicitud. Este problema ha sido solucionado en la versi\u00f3n 0.23.1."}], "lastModified": "2026-03-27T21:48:05.810", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:collerek:ormar:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "28060AA9-6E58-42EE-9043-CC3998D6B0ED", "versionEndExcluding": "0.23.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}