CVE-2026-27953
Received Received - Intake
Pydantic Validation Bypass in ormar ORM Enables Privilege Escalation

Publication date: 2026-03-19

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27953
EUVD
EUVD-2026-13198
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
collerek ormar to 0.23.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27953 is a vulnerability in the ormar Python async ORM library (versions 0.23.0 and below) that allows unauthenticated users to bypass all Pydantic validation when creating or updating models. This is done by injecting a special parameter `__pk_only__` set to true into a JSON request body, which causes the model constructor to skip all validation steps and directly assign unvalidated data to the model's internal dictionary."}, {'type': 'paragraph', 'content': 'Additionally, a secondary parameter `__excluded__` can be injected to selectively nullify arbitrary model fields during construction, such as sensitive fields like email or role.'}, {'type': 'paragraph', 'content': 'This vulnerability affects the typical usage pattern where ormar models are used directly as FastAPI request body parameters, enabling attackers to bypass type checks, field constraints, custom validators, and required field enforcement, leading to privilege escalation, data integrity violations, and business logic bypass.'}, {'type': 'paragraph', 'content': 'The issue was fixed in ormar version 0.23.1 by changing how these special parameters are handled to prevent injection through user-supplied keyword arguments.'}] [3, 4]

Impact Analysis

This vulnerability can have several serious impacts on applications using ormar versions 0.23.0 and below:

  • Privilege Escalation: Attackers can bypass role or permission validators by injecting unauthorized roles or privileges.
  • Data Integrity Violation: Invalid or malicious data types, lengths, and formats can be stored in the database without validation.
  • Business Logic Bypass: Custom validation logic enforcing business rules is skipped, potentially allowing unauthorized actions.
  • Field Nullification: Critical fields such as email or password hashes can be nullified, disabling auditing or security controls.

Overall, this can lead to unauthorized data manipulation, compromised application security, and potential downstream effects on system behavior.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves injection of special JSON parameters `"__pk_only__": true` or `"__excluded__"` into requests that use ormar models, allowing bypass of Pydantic validation. Detection involves monitoring incoming JSON request bodies for these suspicious parameters.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, you can inspect HTTP request payloads for the presence of the `"__pk_only__"` or `"__excluded__"` keys in JSON bodies sent to endpoints that accept ormar models (e.g., FastAPI routes).'}, {'type': 'paragraph', 'content': 'Suggested commands or methods include:'}, {'type': 'list_item', 'content': 'Using network packet capture tools like `tcpdump` or `Wireshark` to filter HTTP POST or PUT requests containing these strings.'}, {'type': 'list_item', 'content': 'Using command-line tools like `grep` or `jq` on server logs or access logs to search for JSON payloads containing `"__pk_only__"` or `"__excluded__"`.'}, {'type': 'list_item', 'content': 'Example grep command on logs: `grep -E \'"__pk_only__"|"__excluded__"\' /path/to/access.log`'}, {'type': 'list_item', 'content': 'If you have application-level logging of request bodies, filter logs for these keys to identify suspicious requests.'}, {'type': 'paragraph', 'content': 'There are no specific built-in ormar commands or automated detection scripts provided in the resources.'}] [4, 5]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade ormar to version 0.23.1 or later, where this vulnerability has been fixed by changing the model constructor to prevent injection of `__pk_only__` and `__excluded__` parameters via user input.'}, {'type': 'paragraph', 'content': 'Additional immediate steps include:'}, {'type': 'list_item', 'content': 'Audit your API endpoints that accept ormar models as request bodies (e.g., FastAPI routes) to ensure they do not accept or process requests containing `"__pk_only__"` or `"__excluded__"` keys.'}, {'type': 'list_item', 'content': 'Implement input validation or request body filtering to reject or sanitize requests containing these special keys before they reach the ormar model constructor.'}, {'type': 'list_item', 'content': 'If upgrading immediately is not possible, consider adding middleware or request validation layers to detect and block payloads with these parameters.'}, {'type': 'paragraph', 'content': 'The root cause was that the vulnerable versions extracted these parameters from `**kwargs` before Pydantic validation, allowing bypass. The fix involves changing these to keyword-only parameters that cannot be injected via JSON or dictionary unpacking.'}] [3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart