Do Son 
A major security flaw has been unearthed in ormar, a popular asynchronous mini Object-Relational Mapper (ORM) for Python that serves as a bridge for developers working with Postgres, MySQL, and SQLite. The vulnerability, tracked as CVE-2026-26198, carries a critical CVSS score of 9.8 and threatens to expose entire databases to unauthenticated attackers.
With over 4.41 million downloads, the library is a staple for many FastAPI and asynchronous Python applications, making the potential blast radius of this discovery significant.
The vulnerability lies within the library’s aggregate function calls, specifically the min() and max() methods. According to the technical report, the issue arises because the ORM “constructs SQL expressions by passing user-supplied column names directly into sqlalchemy.text() without any validation or sanitization”.
While other functions like sum() and avg() are partially shielded by type checks, min() and max() skip these safeguards entirely. This oversight allows an attacker to inject arbitrary strings into the raw SQL query. “Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter,” the report warns.
The security analysis traced the root of the flaw back to March 12, 2021. The vulnerable code was introduced in version 0.9.9 and remained completely unchanged for nearly four years.
“The vulnerable SelectAction.get_text_clause() method and the min()/max() aggregate functions were introduced together… and the vulnerable code has never been modified since,” the researchers noted. This means any application running ormar versions between 0.9.9 and 0.22.0 is currently at risk.
Because many developers follow the library’s official documentation, the vulnerability is often baked into standard API designs. The report highlights that “REST APIs with user-selectable aggregate fields” or “GraphQL resolvers that accept field names as arguments” are prime targets.
The researchers demonstrated the attack using a standard FastAPI application, proving that “any API endpoint that passes user-controlled input to Model.objects.min() or Model.objects.max() becomes a full SQL injection entry point”. The attack has been confirmed to work across all major supported backends, including SQLite, PostgreSQL, and MySQL.
The maintainers of ormar have moved swiftly to close this critical hole. The vulnerability has been fully addressed in version 0.23.0.
Developers and system administrators are urged to audit their Python environments and upgrade their ormar dependencies immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
