Vulnerability-Lookup

CVE-2026-44680 (GCVE-0-2026-44680)

Vulnerability from cvelistv5 – Published: 2026-05-26 16:49 – Updated: 2026-05-26 17:40

Title

MikroORM: SQL injection via runtime-controlled identifiers and JSON-path keys

Summary

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14.

Severity

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

5 references

URL	Tags
https://github.com/mikro-orm/mikro-orm/security/a…	x_refsource_CONFIRM
https://github.com/mikro-orm/mikro-orm/pull/7653	x_refsource_MISC
https://github.com/mikro-orm/mikro-orm/pull/7654	x_refsource_MISC
https://github.com/mikro-orm/mikro-orm/pull/7656	x_refsource_MISC
https://github.com/mikro-orm/mikro-orm/pull/7657	x_refsource_MISC

Impacted products

3 products

Vendor	Product	Version
mikro-orm	mikro-orm	Affected: >= 7.0.0-rc.0, < 7.0.14 Affected: < 6.6.14
@mikro-orm	knex	Affected: < 6.6.14
@mikro-orm	sql	Affected: < 7.0.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44680",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T17:40:31.124194Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T17:40:52.485Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mikro-orm",
          "vendor": "mikro-orm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.0.0-rc.0, \u003c 7.0.14"
            },
            {
              "status": "affected",
              "version": "\u003c 6.6.14"
            }
          ]
        },
        {
          "product": "knex",
          "vendor": "@mikro-orm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.6.14"
            }
          ]
        },
        {
          "product": "sql",
          "vendor": "@mikro-orm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.0.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM\u0027s identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T16:49:47.987Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp"
        },
        {
          "name": "https://github.com/mikro-orm/mikro-orm/pull/7653",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mikro-orm/mikro-orm/pull/7653"
        },
        {
          "name": "https://github.com/mikro-orm/mikro-orm/pull/7654",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mikro-orm/mikro-orm/pull/7654"
        },
        {
          "name": "https://github.com/mikro-orm/mikro-orm/pull/7656",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mikro-orm/mikro-orm/pull/7656"
        },
        {
          "name": "https://github.com/mikro-orm/mikro-orm/pull/7657",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mikro-orm/mikro-orm/pull/7657"
        }
      ],
      "source": {
        "advisory": "GHSA-cfw5-68c4-ffqp",
        "discovery": "UNKNOWN"
      },
      "title": "MikroORM: SQL injection via runtime-controlled identifiers and JSON-path keys"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44680",
    "datePublished": "2026-05-26T16:49:47.987Z",
    "dateReserved": "2026-05-07T16:20:08.660Z",
    "dateUpdated": "2026-05-26T17:40:52.485Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44680\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-26T17:16:46.540\",\"lastModified\":\"2026-05-26T20:24:19.650\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM\u0027s identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"references\":[{\"url\":\"https://github.com/mikro-orm/mikro-orm/pull/7653\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/mikro-orm/mikro-orm/pull/7654\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/mikro-orm/mikro-orm/pull/7656\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/mikro-orm/mikro-orm/pull/7657\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44680\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-26T17:40:31.124194Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-26T17:40:39.560Z\"}}], \"cna\": {\"title\": \"MikroORM: SQL injection via runtime-controlled identifiers and JSON-path keys\", \"source\": {\"advisory\": \"GHSA-cfw5-68c4-ffqp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"mikro-orm\", \"product\": \"mikro-orm\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 7.0.0-rc.0, \u003c 7.0.14\"}, {\"status\": \"affected\", \"version\": \"\u003c 6.6.14\"}]}, {\"vendor\": \"@mikro-orm\", \"product\": \"knex\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.6.14\"}]}, {\"vendor\": \"@mikro-orm\", \"product\": \"sql\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 7.0.14\"}]}], \"references\": [{\"url\": \"https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp\", \"name\": \"https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/mikro-orm/mikro-orm/pull/7653\", \"name\": \"https://github.com/mikro-orm/mikro-orm/pull/7653\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/mikro-orm/mikro-orm/pull/7654\", \"name\": \"https://github.com/mikro-orm/mikro-orm/pull/7654\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/mikro-orm/mikro-orm/pull/7656\", \"name\": \"https://github.com/mikro-orm/mikro-orm/pull/7656\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/mikro-orm/mikro-orm/pull/7657\", \"name\": \"https://github.com/mikro-orm/mikro-orm/pull/7657\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM\u0027s identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-26T16:49:47.987Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44680\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-26T17:40:52.485Z\", \"dateReserved\": \"2026-05-07T16:20:08.660Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-26T16:49:47.987Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44680

Vulnerability from fkie_nvd - Published: 2026-05-26 17:16 - Updated: 2026-05-26 17:16

Severity

7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/mikro-orm/mikro-orm/pull/7653
	security-advisories@github.com	https://github.com/mikro-orm/mikro-orm/pull/7654
	security-advisories@github.com	https://github.com/mikro-orm/mikro-orm/pull/7656
	security-advisories@github.com	https://github.com/mikro-orm/mikro-orm/pull/7657
	security-advisories@github.com	https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM\u0027s identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14."
    }
  ],
  "id": "CVE-2026-44680",
  "lastModified": "2026-05-26T17:16:46.540",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-26T17:16:46.540",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/mikro-orm/mikro-orm/pull/7653"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/mikro-orm/mikro-orm/pull/7654"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/mikro-orm/mikro-orm/pull/7656"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/mikro-orm/mikro-orm/pull/7657"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-CFW5-68C4-FFQP

Vulnerability from github – Published: 2026-05-08 19:17 – Updated: 2026-05-08 19:17

Summary

MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys

Details

Summary

MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL.

Affected APIs

The vulnerability is reachable when application code passes an attacker-influenced string to any of the following documented APIs:

Multi-tenant schema option — em.fork({ schema }), qb.withSchema(name), wrap(entity).setSchema(name), em.create(Cls, data, { schema }). The schema name is concatenated into the SQL identifier and never had its dialect quote character escaped.
em.find / qb.where JSON-property filters — em.find(Entity, { jsonCol: { [userKey]: value } }). The user-supplied JSON sub-keys cannot be validated against any metadata (JSON columns are schemaless by design), and were spliced into the SQL string literal of the JSON path expression without escaping.
qb.where / qb.orderBy / qb.groupBy / qb.having / qb.select keys — keys containing . or :: bypassed the structured-where metadata validator in CriteriaNode, then flowed through the same broken quoteIdentifier. Apps that forwarded raw filter keys from request input were already broken on authorization grounds (e.g. { isAdmin: true }); the SQL injection here is a defence-in-depth failure on top of that.

The vulnerability does not affect documented escape-hatch APIs (raw(), the sql tagged template, qb.raw(), em.raw()) — those are documented as accepting raw SQL and are the application's responsibility to sanitize.

Impact

Confidentiality — read from any table/schema the database user has access to (cross-tenant data leak in multi-tenant deployments).
Integrity — on dialects supporting multi-statement queries (MSSQL, MySQL with multi-statement enabled), execute additional arbitrary SQL statements (data modification, in-database privilege escalation).
Availability — DROP/TRUNCATE via injected statements where the database user has the privilege.

Affected dialects

All SQL dialects supported by MikroORM. The identifier-quoting bug exists in every dialect's quoteIdentifier (the dialect's own quote character — backtick, double quote, or right bracket — was not doubled when embedded in the identifier). The JSON-path bug exists in all dialects' getSearchJsonPropertyKey/quoteJsonKey.

MongoDB driver is not affected (no SQL).

Patches

v7: upgrade to 7.0.14 or later.
v6: upgrade to 6.6.14 or later.

Patches: * Identifier quoting: #7653 (master) / #7654 (6.x) * JSON-path keys: #7656 (master) / #7657 (6.x)

Workarounds

If users cannot upgrade immediately:

For multi-tenant apps using em.fork({ schema }) / wrap().setSchema() / qb.withSchema(): validate the schema name against a strict allowlist (e.g. ^[A-Za-z_][\w$]*$) before passing it to MikroORM.
For applications that pass where / orderBy filters from request input: validate every key against the entity's known properties before constructing the filter; do not pass keys containing . or :: from user input.
For applications that allow filtering on JSON columns from request input: validate every JSON sub-key against an allowlist (or against ^[a-zA-Z_][\w]*$) before passing it to em.find.

Credits

Reported and patched by Martin Adámek (project maintainer) during an internal security review.

Severity

7.6 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@mikro-orm/sql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.6.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@mikro-orm/knex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.6.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:17:45Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nMikroORM\u0027s identifier-quoting helper (`Platform.quoteIdentifier` and the postgres/mssql overrides) and its JSON-path emitters (`Platform.getSearchJsonPropertyKey`, `quoteJsonKey`) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL.\n\n## Affected APIs\n\nThe vulnerability is reachable when application code passes an attacker-influenced string to any of the following documented APIs:\n\n* **Multi-tenant `schema` option** \u2014 `em.fork({ schema })`, `qb.withSchema(name)`, `wrap(entity).setSchema(name)`, `em.create(Cls, data, { schema })`. The schema name is concatenated into the SQL identifier and never had its dialect quote character escaped.\n* **`em.find` / `qb.where` JSON-property filters** \u2014 `em.find(Entity, { jsonCol: { [userKey]: value } })`. The user-supplied JSON sub-keys cannot be validated against any metadata (JSON columns are schemaless by design), and were spliced into the SQL string literal of the JSON path expression without escaping.\n* **`qb.where` / `qb.orderBy` / `qb.groupBy` / `qb.having` / `qb.select` keys** \u2014 keys containing `.` or `::` bypassed the structured-where metadata validator in `CriteriaNode`, then flowed through the same broken `quoteIdentifier`. Apps that forwarded raw filter keys from request input were already broken on authorization grounds (e.g. `{ isAdmin: true }`); the SQL injection here is a defence-in-depth failure on top of that.\n\nThe vulnerability does **not** affect documented escape-hatch APIs (`raw()`, the `sql` tagged template, `qb.raw()`, `em.raw()`) \u2014 those are documented as accepting raw SQL and are the application\u0027s responsibility to sanitize.\n\n## Impact\n\n* **Confidentiality** \u2014 read from any table/schema the database user has access to (cross-tenant data leak in multi-tenant deployments).\n* **Integrity** \u2014 on dialects supporting multi-statement queries (MSSQL, MySQL with multi-statement enabled), execute additional arbitrary SQL statements (data modification, in-database privilege escalation).\n* **Availability** \u2014 DROP/TRUNCATE via injected statements where the database user has the privilege.\n\n## Affected dialects\n\nAll SQL dialects supported by MikroORM. The identifier-quoting bug exists in every dialect\u0027s `quoteIdentifier` (the dialect\u0027s own quote character \u2014 backtick, double quote, or right bracket \u2014 was not doubled when embedded in the identifier). The JSON-path bug exists in all dialects\u0027 `getSearchJsonPropertyKey`/`quoteJsonKey`.\n\nMongoDB driver is **not** affected (no SQL).\n\n## Patches\n\n* v7: upgrade to **7.0.14** or later.\n* v6: upgrade to **6.6.14** or later.\n\nPatches:\n* Identifier quoting: #7653 (master) / #7654 (6.x)\n* JSON-path keys: #7656 (master) / #7657 (6.x)\n\n## Workarounds\n\nIf users cannot upgrade immediately:\n\n* For multi-tenant apps using `em.fork({ schema })` / `wrap().setSchema()` / `qb.withSchema()`: validate the schema name against a strict allowlist (e.g. `^[A-Za-z_][\\w$]*$`) **before** passing it to MikroORM.\n* For applications that pass `where` / `orderBy` filters from request input: validate every key against the entity\u0027s known properties before constructing the filter; do not pass keys containing `.` or `::` from user input.\n* For applications that allow filtering on JSON columns from request input: validate every JSON sub-key against an allowlist (or against `^[a-zA-Z_][\\w]*$`) before passing it to `em.find`.\n\n## Credits\n\nReported and patched by Martin Ad\u00e1mek (project maintainer) during an internal security review.",
  "id": "GHSA-cfw5-68c4-ffqp",
  "modified": "2026-05-08T19:17:45Z",
  "published": "2026-05-08T19:17:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-cfw5-68c4-ffqp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mikro-orm/mikro-orm/pull/7654"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mikro-orm/mikro-orm/pull/7657"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mikro-orm/mikro-orm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44680 (GCVE-0-2026-44680)

FKIE_CVE-2026-44680

GHSA-CFW5-68C4-FFQP

Summary

Affected APIs

Impact

Affected dialects

Patches

Workarounds

Credits

Tags

Sightings

Nomenclature