CVE-2026-44680

Name of the Vulnerable Software and Affected Versions @mikro-orm/knex versions prior to 6.6.14 @mikro-orm/sql versions prior to 7.0.14

Description MikroORM's identifier-quoting helper (Platform.quoteIdentifier and postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) fail to properly escape characters that delimit the SQL identifier or string-literal context. This allows an attacker to break out of the quoted context and inject arbitrary SQL when application code passes attacker-influenced strings to public ORM APIs expecting an identifier or a JSON-property filter. This affects all supported SQL dialects, though the MongoDB driver is not affected.

Technical details include vulnerabilities in the following areas:

Recommendations Upgrade @mikro-orm/knex to version 6.6.14 or later. Upgrade @mikro-orm/sql to version 7.0.14 or later. For multi-tenant applications using em.fork({ schema }), wrap().setSchema(), or qb.withSchema(), validate the schema name against a strict allowlist (e.g., ^[A-Za-z ][w$]*$) before passing it to the ORM. For applications passing where or orderBy filters from request input, validate every key against the entity's known properties and block keys containing . or :: from user input. For applications allowing filtering on JSON columns from request input, validate every JSON sub-key against an allowlist (e.g., ^[a-zA-Z ][w]*$) before passing it to em.find.