CVE-2026-26198
CVE-2026-26198
9.8
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.
CVE-2026-26198: Professional Cybersecurity Analysis
Executive Summary
CVE-2026-26198 represents a critical SQL injection vulnerability in Ormar, an asynchronous mini-ORM for Python. With a CVSS score of 9.8, this vulnerability allows unauthorized attackers to execute arbitrary SQL queries through unsanitized user input in aggregate query methods, potentially leading to complete database compromise.
1. Vulnerability Assessment and Severity Evaluation
Severity Classification
- CVSS Score: 9.8 (Critical)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Confidentiality Impact: High
- Integrity Impact: High (potential)
- Availability Impact: High (potential)
Technical Assessment
This is a classic SQL injection vulnerability resulting from:
- Insufficient input validation on user-supplied column names
- Direct SQL construction using
sqlalchemy.text()without parameterization - Inconsistent security controls across similar methods (sum/avg have partial protection, min/max have none)
The vulnerability is particularly severe because:
- It bypasses ORM-level protections typically expected in modern frameworks
- Exploitation requires no authentication or special privileges
- The attack surface includes any application endpoint that accepts user input for aggregate queries
- Complete database read access is achievable through subquery injection
2. Attack Vectors and Exploitation Methods
Primary Attack Vector
Malicious Column Parameter Injection in min() and max() aggregate methods:
# Vulnerable code pattern
result = await Model.objects.min("user_controlled_input")
result = await Model.objects.max("user_controlled_input")
Exploitation Techniques
Technique 1: Subquery Injection for Data Exfiltration
# Attacker-controlled input:
column_param = "(SELECT password FROM users WHERE id=1)"
# Results in SQL:
# SELECT MIN((SELECT password FROM users WHERE id=1)) FROM table
Technique 2: Cross-Table Data Access
# Access unrelated tables:
column_param = "(SELECT credit_card FROM payment_info LIMIT 1)"
Technique 3: Conditional Data Extraction
# Boolean-based blind SQL injection:
column_param = "(CASE WHEN (SELECT COUNT(*) FROM admin_users) > 0 THEN 1 ELSE 0 END)"
Technique 4: Database Enumeration
# Extract schema information:
column_param = "(SELECT table_name FROM information_schema.tables LIMIT 1)"
Attack Scenarios
Scenario A: API Endpoint Exploitation
# Vulnerable API endpoint
@app.get("/stats")
async def get_stats(column: str):
return await Product.objects.min(column)
# Malicious request:
# GET /stats?column=(SELECT+api_key+FROM+secrets+LIMIT+1)
Scenario B: Dashboard Analytics Exploitation
# Vulnerable analytics function
async def get_metric(metric_name: str):
return await Metrics.objects.max(metric_name)
# Attacker supplies: metric_name = "(SELECT password FROM admin_accounts WHERE username='admin')"
3. Affected Systems and Software Versions
Affected Versions
- Ormar versions: 0.9.9 through 0.22.0 (inclusive)
- All Python environments running affected versions
- All database backends supported by Ormar (PostgreSQL, MySQL, SQLite, etc.)
Affected Components
QuerySet.min()method - Fully vulnerableQuerySet.max()method - Fully vulnerableQuerySet.sum()method - Partially protected (hasis_numericcheck)QuerySet.avg()method - Partially protected (hasis_numericcheck)
Deployment Contexts at Risk
- Web APIs accepting user input for analytics/reporting
- Dashboard applications with dynamic column selection
- Data export services with customizable aggregations
- Admin panels with flexible query builders
- Mobile backend services using Ormar for data aggregation
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1)
A. Upgrade to Patched Version
# Upgrade to version 0.23.0 or later
pip install --upgrade ormar>=0.23.0
# Verify installation
pip show ormar
B. Emergency Workaround (If Immediate Upgrade Impossible)
# Implement input validation wrapper
ALLOWED_COLUMNS = {'price', 'quantity', 'rating'} # Whitelist
async def safe_min(model, column: str):
if column not in ALLOWED_COLUMNS:
raise ValueError("Invalid column name")
return await model.objects.min(column)
Short-Term Mitigations (Priority 2)
C. Input Validation and Sanitization
import re
def validate_column_name(column: str) -> bool:
# Only allow alphanumeric and underscore
if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_]*$', column):
return False
# Verify column exists in model
if column not in Model.__fields__:
return False
return True
async def secure_aggregate(column: str):
if not validate_column_name(column):
raise ValueError("Invalid column")
return await Model.objects.min(column)
D. Web Application Firewall (WAF) Rules
# ModSecurity-style rule
SecRule ARGS "@rx (SELECT|UNION|INSERT|UPDATE|DELETE|DROP)" \
"id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
Long-Term Security Measures (Priority 3)
E. Security Architecture Review
- Implement principle of least privilege for database connections
- Use read-only database replicas for reporting queries
- Deploy database activity monitoring (DAM) solutions
- Implement query result size limits to prevent data exfiltration
F. Code Security Practices
# Use ORM field references instead of strings
from ormar import fields
# Safer approach - use field objects
result = await Model.objects.min(Model.price) # Type-safe
# Implement audit logging
import logging
async def audited_aggregate(column: str, user_id: str):
logging.warning(f"Aggregate query: column={column}, user={user_id}")
# ... validation and execution
G. Security Testing Integration
# Add security test cases
async def test_sql_injection_prevention():
malicious_inputs = [
"(SELECT password FROM users)",
"1; DROP TABLE users--",
"' OR '1'='1",
"(SELECT COUNT(*) FROM information_schema.tables)"
]
for payload in malicious_inputs:
with pytest.raises(ValueError):
await Model.objects.min(payload)
5. Impact on Cybersecurity Landscape
Industry-Wide Implications
A. ORM Security Concerns
This vulnerability highlights a critical gap in ORM security assumptions:
- Developers often trust ORMs to handle SQL injection prevention automatically
- Aggregate functions and dynamic queries remain high-risk areas
- Even modern async frameworks can contain fundamental security flaws
B. Python Ecosystem Impact
- Affects the growing Python async web development community
- Impacts FastAPI, Starlette, and other async framework users
- Demonstrates need for security audits in emerging Python libraries
C. Supply Chain Security
- Emphasizes risks in dependency chains
- Applications may be vulnerable without direct code issues
- Highlights importance of Software Bill of Materials (SBOM) tracking
Threat Landscape Evolution
Attack Surface Expansion
- **
References
security-advisories@github.com
https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16security-advisories@github.com
https://github.com/collerek/ormar/releases/tag/0.23.0security-advisories@github.com
https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr