CVE-2026-26198

Name of the Vulnerable Software and Affected Versions Ormar versions 0.9.9 through 0.22.0

Description Ormar is an async mini ORM for Python. Versions 0.9.9 through 0.22.0 are susceptible to a SQL injection flaw when performing aggregate queries. The min() and max() methods in the QuerySet class accept arbitrary string input as the column parameter without validation. This allows an attacker to embed raw SQL inside the aggregate function call, potentially enabling them to read the entire database content, including unrelated tables, by injecting a subquery. The vulnerability arises because sqlalchemy.text() is used to construct SQL expressions directly from user-supplied column names without sanitization. The sum() and avg() methods have partial protection with a type check, but min() and max() do not. The vulnerability was discovered through the ability to execute subqueries via the min() and max() aggregate functions. An attacker can enumerate database tables, extract schemas, and dump credentials without authentication.

Recommendations Update to version 0.23.0 or later.