CVE-2026-39356
SQL Injection via Improper Identifier Escaping in Drizzle ORM
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| drizzle | drizzle | to 0.45.2 (exc) |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
| drizzle | drizzle | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39356 is a high-severity SQL injection vulnerability in Drizzle ORM versions prior to 0.45.2 and 1.0.0-beta.20. The issue arises because the ORM improperly escapes quoted SQL identifiers in its dialect-specific escapeName() functions. Specifically, embedded identifier delimiters such as double quotes or backticks inside identifiers were not escaped before the identifier was wrapped in quotes or backticks.
This flaw allows attacker-controlled input passed to APIs like sql.identifier() or .as() to break out of the quoted identifier and inject arbitrary SQL commands. This can happen when applications use untrusted runtime input to construct SQL identifiers or aliases, for example in dynamic sorting or dynamic report building.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to various impacts depending on the database dialect, query context, and permissions. Potential impacts include blind or direct data disclosure, schema enumeration, query manipulation, privilege escalation, or destructive operations.
The vulnerability has a CVSS v3 base score of 7.5, indicating high severity. It can be exploited remotely over the network with low attack complexity, requires no privileges or user interaction, and primarily affects confidentiality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your application uses Drizzle ORM versions prior to 0.45.2 or 1.0.0-beta.20 and if it constructs SQL identifiers or aliases dynamically using untrusted input with APIs like sql.identifier() or .as().
A typical vulnerable pattern is dynamic sorting or aliasing where user-controlled input is passed directly to these APIs without sanitization.
To detect exploitation attempts or presence of this vulnerability, you can monitor SQL queries for unusual or malformed identifiers containing embedded quotes or backticks that could indicate injection attempts.
Since this is an application-level vulnerability, network detection might involve inspecting logs or database query logs for suspicious SQL identifier patterns.
No specific commands are provided in the resources, but general approaches include:
- Review application dependencies to check Drizzle ORM version (e.g., using npm list drizzle-orm).
- Search source code for usage of sql.identifier() or .as() with dynamic or user-controlled input.
- Enable and analyze database query logs for suspicious identifiers containing unescaped quotes or backticks.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Drizzle ORM to version 0.45.2 or 1.0.0-beta.20 or later, where the vulnerability is fixed.
Additionally, avoid passing untrusted or user-controlled input directly to APIs that construct SQL identifiers or aliases such as sql.identifier() or .as().
Implement strict allowlists or validation for any dynamic identifiers or aliases used in queries.
Review application code for patterns that dynamically build SQL identifiers from user input and refactor to use static schema objects or validated inputs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attacker-controlled input to inject arbitrary SQL commands, potentially leading to data disclosure and unauthorized access to sensitive information.
Such unauthorized data disclosure and manipulation can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.
Therefore, if exploited, this vulnerability could compromise confidentiality obligations mandated by these regulations.