Improper input validation in Ormar-orm Ormar
CVE-2026-27953
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true int…
Vulnerability class: Mass Assignment
EPSS: 0.005 (65.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L.
Affected products
- Ormar-orm Ormar — versions < 0.23.1
Weakness classification (CWE)
References
- https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8 (x_refsource_CONFIRM)
- https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3 (x_refsource_MISC)
- https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55 (x_refsource_MISC)
- https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41 (x_refsource_MISC)
- https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108 (x_refsource_MISC)
- https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89 (x_refsource_MISC)
- https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128 (x_refsource_MISC)
- https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292 (x_refsource_MISC)
- https://github.com/ormar-orm/ormar/releases/tag/0.23.1 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-27953?
- CVE-2026-27953 is a high-severity vulnerability in Ormar-orm Ormar, classified under Improperly Controlled Modification of Dynamically-Determined Object Attributes. CVSS score: 7.1/10. Published 2026-03-19.
- How severe is CVE-2026-27953?
- High severity. CVSS v3 base score is 7.1 out of 10.