CVE-2026-27953
Pydantic Validation Bypass in ormar ORM Enables Privilege Escalation
Publication date: 2026-03-19
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| collerek | ormar | to 0.23.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27953 is a vulnerability in the ormar Python async ORM library (versions 0.23.0 and below) that allows unauthenticated users to bypass all Pydantic validation when creating or updating models. This is done by injecting a special parameter `__pk_only__` set to true into a JSON request body, which causes the model constructor to skip all validation steps and directly assign unvalidated data to the model's internal dictionary."}, {'type': 'paragraph', 'content': 'Additionally, a secondary parameter `__excluded__` can be injected to selectively nullify arbitrary model fields during construction, such as sensitive fields like email or role.'}, {'type': 'paragraph', 'content': 'This vulnerability affects the typical usage pattern where ormar models are used directly as FastAPI request body parameters, enabling attackers to bypass type checks, field constraints, custom validators, and required field enforcement, leading to privilege escalation, data integrity violations, and business logic bypass.'}, {'type': 'paragraph', 'content': 'The issue was fixed in ormar version 0.23.1 by changing how these special parameters are handled to prevent injection through user-supplied keyword arguments.'}] [3, 4]
How can this vulnerability impact me? :
This vulnerability can have several serious impacts on applications using ormar versions 0.23.0 and below:
- Privilege Escalation: Attackers can bypass role or permission validators by injecting unauthorized roles or privileges.
- Data Integrity Violation: Invalid or malicious data types, lengths, and formats can be stored in the database without validation.
- Business Logic Bypass: Custom validation logic enforcing business rules is skipped, potentially allowing unauthorized actions.
- Field Nullification: Critical fields such as email or password hashes can be nullified, disabling auditing or security controls.
Overall, this can lead to unauthorized data manipulation, compromised application security, and potential downstream effects on system behavior.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves injection of special JSON parameters `"__pk_only__": true` or `"__excluded__"` into requests that use ormar models, allowing bypass of Pydantic validation. Detection involves monitoring incoming JSON request bodies for these suspicious parameters.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, you can inspect HTTP request payloads for the presence of the `"__pk_only__"` or `"__excluded__"` keys in JSON bodies sent to endpoints that accept ormar models (e.g., FastAPI routes).'}, {'type': 'paragraph', 'content': 'Suggested commands or methods include:'}, {'type': 'list_item', 'content': 'Using network packet capture tools like `tcpdump` or `Wireshark` to filter HTTP POST or PUT requests containing these strings.'}, {'type': 'list_item', 'content': 'Using command-line tools like `grep` or `jq` on server logs or access logs to search for JSON payloads containing `"__pk_only__"` or `"__excluded__"`.'}, {'type': 'list_item', 'content': 'Example grep command on logs: `grep -E \'"__pk_only__"|"__excluded__"\' /path/to/access.log`'}, {'type': 'list_item', 'content': 'If you have application-level logging of request bodies, filter logs for these keys to identify suspicious requests.'}, {'type': 'paragraph', 'content': 'There are no specific built-in ormar commands or automated detection scripts provided in the resources.'}] [4, 5]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade ormar to version 0.23.1 or later, where this vulnerability has been fixed by changing the model constructor to prevent injection of `__pk_only__` and `__excluded__` parameters via user input.'}, {'type': 'paragraph', 'content': 'Additional immediate steps include:'}, {'type': 'list_item', 'content': 'Audit your API endpoints that accept ormar models as request bodies (e.g., FastAPI routes) to ensure they do not accept or process requests containing `"__pk_only__"` or `"__excluded__"` keys.'}, {'type': 'list_item', 'content': 'Implement input validation or request body filtering to reject or sanitize requests containing these special keys before they reach the ormar model constructor.'}, {'type': 'list_item', 'content': 'If upgrading immediately is not possible, consider adding middleware or request validation layers to detect and block payloads with these parameters.'}, {'type': 'paragraph', 'content': 'The root cause was that the vulnerable versions extracted these parameters from `**kwargs` before Pydantic validation, allowing bypass. The fix involves changing these to keyword-only parameters that cannot be injected via JSON or dictionary unpacking.'}] [3, 4]