CVE-2026-27953 is a vulnerability in ormar, a Python asynchronous ORM widely used with FastAPI, that arises from improper control over dynamically-determined object attributes during model construction. Specifically, versions of ormar prior to 0.23.1 allow an attacker to bypass Pydantic validation by injecting a special parameter "__pk_only__": true into JSON request bodies. This parameter causes the model constructor to skip all field validation, allowing unvalidated and potentially malicious data to be persisted directly to the database. Additionally, the injection of a secondary parameter "__excluded__" enables selective nullification of arbitrary model fields such as email or role, which can be exploited to escalate privileges or bypass business logic. The vulnerability stems from CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) and CWE-20 (Improper Input Validation). It affects the canonical FastAPI integration pattern recommended by ormar's official documentation, meaning many applications using ormar.Model as a request body parameter are at risk. The vulnerability does not require user interaction but does require some level of privilege (PR:L) as per the CVSS vector, and it can impact data integrity severely and availability to a lesser extent. The issue was publicly disclosed on March 19, 2026, and fixed in ormar version 0.23.1. No known exploits have been reported in the wild yet, but the ease of bypassing validation and the potential impact on data integrity make this a significant threat.

The vulnerability allows unauthenticated attackers to bypass all field validation and inject unvalidated data directly into the database, which can lead to serious consequences such as privilege escalation, data corruption, and business logic bypass. Organizations using ormar in their Python FastAPI applications may face unauthorized modification of critical fields like user roles or emails, potentially granting attackers elevated privileges or disrupting normal application workflows. This can compromise data integrity and, depending on the application, may also affect availability if corrupted data causes failures. The impact is particularly severe for applications handling sensitive data or enforcing strict access controls via ormar models. Since ormar is often used in modern asynchronous Python web applications, the scope of affected systems can be broad, especially in environments that have not updated to the patched version. The lack of required user interaction and the network attack vector increase the risk of exploitation. Although no exploits are known in the wild currently, the vulnerability's characteristics suggest it could be leveraged for impactful attacks if weaponized.

1. Immediate upgrade of ormar to version 0.23.1 or later to apply the official patch that fixes the validation bypass. 2. Review and audit all FastAPI endpoints that use ormar.Model as a request body parameter to ensure no unvalidated or dynamic attributes can be injected. 3. Implement additional server-side validation layers independent of ormar's model validation to detect and reject unexpected parameters like "__pk_only__" or "__excluded__". 4. Employ strict input sanitization and schema validation at the API gateway or middleware level to prevent injection of special control parameters. 5. Monitor application logs for suspicious requests containing these special parameters or anomalous data modifications. 6. Conduct penetration testing focusing on model validation bypass attempts to verify the effectiveness of mitigations. 7. Educate development teams about the risks of relying solely on ORM-level validation and encourage defense-in-depth strategies. 8. If upgrading immediately is not feasible, consider temporarily disabling ormar.Model direct usage as request bodies and replace with explicit Pydantic schemas that do not allow dynamic attribute injection.