Description

Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.

INFO

Published Date :

2026-02-24T02:03:47.094Z

Last Modified :

2026-02-24T20:35:44.673Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26198 vulnerability.

Vendors Products
Collerek
  • Ormar
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26198.

URL Resource
https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16 cve-icon cve-icon
https://github.com/collerek/ormar/releases/tag/0.23.0 cve-icon cve-icon
https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact