CVE-2026-26198: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in collerek ormar
Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.
AI Analysis
Technical Summary
Ormar is an asynchronous mini ORM for Python designed to simplify database interactions. Versions 0.9.9 through 0.22.0 contain a critical SQL injection vulnerability (CVE-2026-26198) due to improper neutralization of special elements in SQL commands (CWE-89). Specifically, the min() and max() methods in Ormar's QuerySet class accept arbitrary string inputs as column parameters without any validation or sanitization. These inputs are directly passed into sqlalchemy.text(), which constructs raw SQL expressions. Unlike sum() and avg() methods that perform partial numeric type checks, min() and max() skip validation entirely. This flaw enables an attacker to inject malicious SQL subqueries as the column parameter, allowing unauthorized reading of the entire database, including tables unrelated to the queried model. Exploitation requires no authentication or user interaction, making it trivially exploitable remotely. The vulnerability affects all Ormar versions from 0.9.9 up to but not including 0.23.0, where a patch was introduced to properly validate and sanitize inputs. Despite no known exploits in the wild at the time of disclosure, the high CVSS score (9.8) reflects the critical risk posed by this vulnerability.
Potential Impact
The impact of CVE-2026-26198 is severe for organizations using affected Ormar versions in their Python applications. Exploitation allows attackers to perform unauthorized SQL injection attacks, leading to full disclosure of sensitive data across all database tables, including those outside the scope of the intended ORM model. This can result in exposure of personal identifiable information (PII), intellectual property, credentials, and other confidential data. The vulnerability compromises confidentiality, integrity, and availability since attackers can read, modify, or delete data. Because no authentication or user interaction is required, any exposed application endpoint using the vulnerable Ormar versions is at risk of remote exploitation. This can lead to data breaches, regulatory non-compliance, reputational damage, and potential lateral movement within compromised networks. The widespread use of Python and ORMs in web applications and microservices increases the scope and scale of potential impact globally.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade Ormar to version 0.23.0 or later, where the issue is patched. Until upgrade is possible, developers should avoid using the min() and max() aggregate methods with user-supplied input or implement strict input validation and sanitization to ensure only valid column names are accepted. Employing a whitelist of allowed column names or using ORM-safe query constructs can prevent injection. Additionally, applying Web Application Firewalls (WAFs) with SQL injection detection rules can provide a temporary layer of defense. Regular code audits and dependency scanning should be conducted to identify vulnerable Ormar versions. Monitoring application logs for suspicious query patterns and anomalous database access can help detect exploitation attempts. Finally, enforcing the principle of least privilege on database accounts used by applications limits the damage potential if exploitation occurs.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Japan, Netherlands, India, Brazil, South Korea, Singapore
CVE-2026-26198: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in collerek ormar
Description
Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.
AI-Powered Analysis
Technical Analysis
Ormar is an asynchronous mini ORM for Python designed to simplify database interactions. Versions 0.9.9 through 0.22.0 contain a critical SQL injection vulnerability (CVE-2026-26198) due to improper neutralization of special elements in SQL commands (CWE-89). Specifically, the min() and max() methods in Ormar's QuerySet class accept arbitrary string inputs as column parameters without any validation or sanitization. These inputs are directly passed into sqlalchemy.text(), which constructs raw SQL expressions. Unlike sum() and avg() methods that perform partial numeric type checks, min() and max() skip validation entirely. This flaw enables an attacker to inject malicious SQL subqueries as the column parameter, allowing unauthorized reading of the entire database, including tables unrelated to the queried model. Exploitation requires no authentication or user interaction, making it trivially exploitable remotely. The vulnerability affects all Ormar versions from 0.9.9 up to but not including 0.23.0, where a patch was introduced to properly validate and sanitize inputs. Despite no known exploits in the wild at the time of disclosure, the high CVSS score (9.8) reflects the critical risk posed by this vulnerability.
Potential Impact
The impact of CVE-2026-26198 is severe for organizations using affected Ormar versions in their Python applications. Exploitation allows attackers to perform unauthorized SQL injection attacks, leading to full disclosure of sensitive data across all database tables, including those outside the scope of the intended ORM model. This can result in exposure of personal identifiable information (PII), intellectual property, credentials, and other confidential data. The vulnerability compromises confidentiality, integrity, and availability since attackers can read, modify, or delete data. Because no authentication or user interaction is required, any exposed application endpoint using the vulnerable Ormar versions is at risk of remote exploitation. This can lead to data breaches, regulatory non-compliance, reputational damage, and potential lateral movement within compromised networks. The widespread use of Python and ORMs in web applications and microservices increases the scope and scale of potential impact globally.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade Ormar to version 0.23.0 or later, where the issue is patched. Until upgrade is possible, developers should avoid using the min() and max() aggregate methods with user-supplied input or implement strict input validation and sanitization to ensure only valid column names are accepted. Employing a whitelist of allowed column names or using ORM-safe query constructs can prevent injection. Additionally, applying Web Application Firewalls (WAFs) with SQL injection detection rules can provide a temporary layer of defense. Regular code audits and dependency scanning should be conducted to identify vulnerable Ormar versions. Monitoring application logs for suspicious query patterns and anomalous database access can help detect exploitation attempts. Finally, enforcing the principle of least privilege on database accounts used by applications limits the damage potential if exploitation occurs.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-11T19:56:24.813Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699d14d6be58cf853b182c29
Added to database: 2/24/2026, 3:02:46 AM
Last enriched: 2/24/2026, 3:16:41 AM
Last updated: 2/24/2026, 9:33:11 PM
Views: 28
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-27195: CWE-755: Improper Handling of Exceptional Conditions in bytecodealliance wasmtime
MediumCVE-2026-25899: CWE-789: Memory Allocation with Excessive Size Value in gofiber fiber
HighCVE-2026-25891: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in gofiber fiber
HighCVE-2026-25882: CWE-129: Improper Validation of Array Index in gofiber fiber
MediumCVE-2026-22553: CWE-78 in InSAT MasterSCADA BUK-TS
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.