CVE-2026-27953 in ormar
Summary
by MITRE • 03/19/2026
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability CVE-2026-27953 affects ormar, an asynchronous mini ORM for Python, specifically versions 0.23.0 and below. This represents a critical validation bypass flaw that undermines the fundamental security controls designed to protect data integrity within applications using this ORM. The issue stems from how ormar processes model construction when handling JSON request bodies, creating a pathway for malicious actors to circumvent all field validation mechanisms through strategic parameter injection. The vulnerability is particularly concerning because it targets the core validation infrastructure of the ORM, allowing attackers to manipulate data persistence at the database level.
The technical flaw manifests through the injection of specific parameters into JSON request bodies that manipulate ormar's internal model construction logic. When attackers inject "_pk_only_": true into request payloads, they can bypass all field validation mechanisms entirely, enabling them to persist unvalidated data directly to the database. This pattern leverages the ORM's handling of model instantiation, where the presence of this specific key triggers a code path that skips validation entirely. Additionally, a secondary vulnerability involves the "_excluded_" parameter injection, which follows the same injection pattern but allows attackers to selectively nullify arbitrary model fields during construction. This secondary vector provides attackers with additional capabilities to manipulate data integrity by removing specific fields from validation, such as email addresses or role identifiers that might be critical for business logic enforcement.
The operational impact of this vulnerability extends far beyond simple data corruption, as it affects applications using ormar's canonical FastAPI integration pattern that is explicitly recommended in the official documentation. This means that any application following the standard recommended practices for ormar integration becomes vulnerable to privilege escalation attacks, where unauthenticated users can manipulate the application's data model to gain unauthorized access or modify critical business data. The vulnerability enables data integrity violations that can compromise the entire application's trust model, as attackers can bypass validation rules that are essential for maintaining consistent data states. Business logic bypass becomes possible through these validation skips, allowing attackers to manipulate application behavior in ways that would normally be prevented by proper validation controls.
The implications of this vulnerability align with CWE-502, which addresses deserialization of untrusted data, and map to ATT&CK techniques involving data manipulation and privilege escalation. Organizations using ormar in their FastAPI applications face significant risk of unauthorized data modification, potential data exfiltration, and compromise of application security controls. The fix implemented in version 0.23.1 addresses the core issue by properly sanitizing parameter injection patterns and ensuring that all field validation occurs regardless of special parameter presence in request payloads. This vulnerability demonstrates the critical importance of input validation in ORM frameworks and highlights how seemingly minor implementation details in model construction can create significant security risks. The recommended mitigation strategy involves immediate upgrading to version 0.23.1 or implementing additional validation layers at the application level to prevent parameter injection attacks. Organizations should also conduct thorough security reviews of their FastAPI applications that utilize ormar to ensure no other similar injection patterns exist in their codebase.