CVE-2026-34220

CVSS v4.0

9.3

Critical

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

MikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.

Impact

If user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.

Affected usage

The issue occurs when untrusted objects are passed to ORM write APIs such as:

wrap(entity).assign(userInput) followed by em.flush()
em.nativeUpdate()
em.nativeInsert()
em.create() followed by em.flush()

Applications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected.

Fix

The vulnerability was caused by duck-typed detection of internal ORM marker properties.

The fix replaces these checks with symbol-based markers that cannot be reproduced by user input.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2026-34220

GHSA-GWHV-J974-6FXM

Affected Products

@Mikro-Orm/Core

CVE-2026-34220

Summary

Impact

Affected usage

Fix

Weakness Enumeration

Related Identifiers

Affected Products

References · 3