CVE-2026-27953

Name of the Vulnerable Software and Affected Versions ormar versions 0.23.0 and below

Description ormar, an async mini ORM for Python, has a Pydantic validation bypass issue in its model constructor. This allows unauthenticated users to skip all field validation by injecting " pk only ": true into a JSON request body. The injection of " pk only ": true allows bypassing type checks, constraints, and other validation rules, leading to the persistence of unvalidated data in the database. A secondary issue involves the " excluded " parameter, which can be used to selectively nullify arbitrary model fields during construction. This affects the recommended FastAPI integration pattern, potentially enabling privilege escalation, data integrity violations, and business logic bypass. The root cause is the direct extraction of " pk only " from user-supplied keyword arguments before validation occurs. The pk only flag was originally intended for internal optimization but is accessible to external callers. The affected entry points include FastAPI routes using ormar models as request body parameters, as well as direct calls to Model.objects.create(**user dict) and Model(**user dict).

Recommendations Versions prior to 0.23.1 are affected. Replace kwargs.pop(" pk only ", False) with a keyword-only parameter that cannot be injected via **kwargs. Replace kwargs.pop(" excluded ", set()) with a keyword-only parameter that cannot be injected via **kwargs.