CVE-2026-22814
Mass Assignment Vulnerability in @adonisjs/lucid Enables Unauthorized Modification
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adonisjs | lucid | to 21.8.2 (exc) |
| adonisjs | lucid | to 22.0.0-next.6 (exc) |
| adonisjs | lucid | From 22.0.0-next.5 (inc) |
| adonisjs | lucid | 21.8.2 |
| adonisjs | lucid | 22.0.0-next.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized modification of database records through mass assignment, which can lead to integrity violations of stored data. This unauthorized data manipulation could result in non-compliance with standards and regulations such as GDPR and HIPAA that require data integrity and protection against unauthorized changes. Therefore, applications using vulnerable versions of @adonisjs/lucid without strict input validation may face compliance risks related to data integrity and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your application uses vulnerable versions of @adonisjs/lucid (up to 21.8.1 and pre-release 22.0.0-next.5) and if it passes unfiltered or unsanitized input data (e.g., from request.all(), request.except(), or schemas allowing unknown properties) directly into Lucid model assignment methods such as fill, merge, create, updateOrCreate, etc. There are no specific network detection commands provided. To detect vulnerable versions, you can check your package.json or use npm commands like 'npm list @adonisjs/lucid'. To detect unsafe usage in code, review your codebase for model assignments that do not validate or sanitize input data. No direct commands for runtime detection are provided in the resources. [1]
Can you explain this vulnerability to me?
This vulnerability is a Mass Assignment issue in the @adonisjs/lucid ORM for AdonisJS. It allows a remote attacker who can influence the data passed into Lucid model assignments to overwrite the internal ORM state. This means the attacker can potentially bypass logic controls and modify records in the database without authorization.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized modification of database records and logic bypasses within the application using @adonisjs/lucid. This could result in data integrity issues, unauthorized data changes, and potentially compromise the application's security and functionality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update @adonisjs/lucid to version 21.8.2 or later, or to 22.0.0-next.6 or later if using pre-release versions. This patch fixes the Mass Assignment vulnerability that allows unauthorized record modification.