The vulnerability CVE-2026-27953 resides in ormar, a lightweight asynchronous ORM for Python, specifically in versions 0.23.0 and earlier. Ormar integrates tightly with Pydantic for data validation and is commonly used with FastAPI. The flaw arises from improper control over dynamically determined object attributes during model construction. By injecting a special JSON parameter "__pk_only__": true into a request body, an unauthenticated attacker can bypass all Pydantic field validations. This means that data normally checked for correctness, type, and constraints can be persisted directly to the database without any validation, leading to data integrity issues. Additionally, the injection of a secondary parameter "__excluded__" allows selective nullification of arbitrary model fields, such as sensitive fields like email or user roles, enabling attackers to manipulate critical attributes. Because ormar's official documentation recommends using ormar.Model directly as a request body parameter in FastAPI, this vulnerability affects many applications following this pattern. The vulnerability is classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) and CWE-20 (Improper Input Validation). The CVSS 3.1 score is 7.1 (high), with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and low availability impact (A:L). No known exploits are currently in the wild. The vulnerability was publicly disclosed on March 19, 2026, and fixed in version 0.23.1.

This vulnerability can have severe consequences for organizations using ormar versions prior to 0.23.1, especially those deploying FastAPI applications with ormar.Model as request body parameters. Attackers can bypass all data validation, allowing injection of malformed or malicious data directly into the database, leading to data integrity violations. The ability to nullify critical fields such as user roles or emails can enable privilege escalation, unauthorized access, and business logic bypass. This compromises the integrity of application data and can disrupt normal operations. Although confidentiality impact is rated none, the integrity and availability impacts are significant. The low availability impact suggests potential minor disruptions or denial of service conditions. Since exploitation requires some privilege level, attackers may need to gain initial access or exploit other vulnerabilities first, but no user interaction is needed. The widespread use of Python, FastAPI, and ormar in modern web applications means many organizations globally could be affected, particularly those in sectors relying on rapid API development and asynchronous frameworks. Failure to patch promptly could lead to unauthorized data manipulation, compliance violations, and reputational damage.

To mitigate this vulnerability, organizations should immediately upgrade ormar to version 0.23.1 or later, where the issue is fixed. Review all FastAPI applications using ormar.Model as request body parameters to ensure they do not rely on vulnerable versions. Implement additional input validation layers outside of ormar and Pydantic to detect and block suspicious parameters such as "__pk_only__" and "__excluded__". Employ strict API gateway or WAF rules to filter out unexpected JSON keys that could be used for injection. Conduct thorough code audits to avoid using ormar.Model directly as a request body without validation. Monitor application logs for unusual database writes or unexpected nullification of critical fields. Enforce the principle of least privilege for database access to limit the impact of any successful exploitation. Consider using runtime application self-protection (RASP) tools to detect abnormal behaviors related to model construction and data persistence. Finally, educate developers about secure usage patterns of ormar and Pydantic to prevent similar issues.