CVE-2026-26198
Received Received - Intake
SQL Injection in Ormar ORM Aggregate Queries Allows Data Exposure

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-05-07
AI Q&A
2026-02-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-26198
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
collerek ormar From 0.9.9 (inc) to 0.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-26198 is a critical SQL Injection vulnerability in the Ormar async Python ORM, affecting versions 0.9.9 through 0.22.0. The issue arises because the min() and max() aggregate functions accept arbitrary string inputs as column names without any validation or sanitization. These inputs are passed directly into raw SQL expressions via sqlalchemy.text(), allowing attackers to inject malicious SQL code.

Unlike sum() and avg(), which perform type checks to ensure numeric columns, min() and max() skip these validations entirely. This flaw enables unauthorized users to execute arbitrary SQL queries, including subqueries, which can read the entire database contents, even tables unrelated to the queried model.

The vulnerability was introduced in early versions and remained unpatched until version 0.23.0, which added strict validation and sanitization of inputs to prevent SQL injection.


How can this vulnerability impact me? :

This vulnerability allows an attacker to perform unauthorized SQL injection attacks through the min() and max() aggregate functions in Ormar ORM. By injecting malicious SQL code, an attacker can read sensitive data from the entire database, including tables that should be inaccessible.

  • Attackers can extract sensitive information such as usernames, passwords, API keys, and other confidential data.
  • The attack can be performed without authentication, requiring only unauthenticated HTTP GET requests to a vulnerable API endpoint.
  • Attackers can enumerate database tables, extract schema details, and dump sensitive data using SQL injection techniques including blind boolean-based extraction.

Overall, exploitation can lead to full compromise of sensitive internal data, loss of confidentiality, integrity, and availability of the database.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the Ormar ORM aggregate functions min() and max() for SQL injection by passing arbitrary or malicious strings as the column parameter and observing if the database executes unintended SQL commands.'}, {'type': 'paragraph', 'content': "A practical detection method is to send requests to any API endpoints that use Ormar's min() or max() aggregate functions with crafted inputs such as '1+1' or subqueries as the column parameter and check if the response reflects execution of injected SQL."}, {'type': 'paragraph', 'content': 'For example, if you have an API endpoint similar to the vulnerable FastAPI example, you can test with HTTP GET requests like:'}, {'type': 'list_item', 'content': "curl 'http://your-api/items/stats?metric=max&column=1+1' # Should return 2 if vulnerable"}, {'type': 'list_item', 'content': "curl 'http://your-api/items/stats?metric=min&column=(SELECT+name+FROM+sqlite_master+WHERE+type=%27table%27)' # To enumerate tables"}, {'type': 'paragraph', 'content': 'If these commands return results indicating execution of injected SQL, the system is vulnerable.'}] [3]


What immediate steps should I take to mitigate this vulnerability?

The immediate and most effective mitigation step is to upgrade the Ormar ORM library to version 0.23.0 or later, where this vulnerability has been fixed by adding strict validation and sanitization of inputs to the min() and max() aggregate functions.

Until the upgrade can be performed, avoid using the min() and max() aggregate functions with user-supplied input as column parameters, or implement strict input validation and sanitization on your side to prevent arbitrary SQL injection.

Additionally, review your API endpoints and code to ensure that no untrusted input is passed directly into aggregate function parameters without validation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart