Skip to content

MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys

High severity GitHub Reviewed Published May 5, 2026 in mikro-orm/mikro-orm

Package

npm @mikro-orm/knex (npm)

Affected versions

<= 6.6.13

Patched versions

6.6.14
npm @mikro-orm/sql (npm)
<= 7.0.13
7.0.14

Description

Summary

MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL.

Affected APIs

The vulnerability is reachable when application code passes an attacker-influenced string to any of the following documented APIs:

  • Multi-tenant schema optionem.fork({ schema }), qb.withSchema(name), wrap(entity).setSchema(name), em.create(Cls, data, { schema }). The schema name is concatenated into the SQL identifier and never had its dialect quote character escaped.
  • em.find / qb.where JSON-property filtersem.find(Entity, { jsonCol: { [userKey]: value } }). The user-supplied JSON sub-keys cannot be validated against any metadata (JSON columns are schemaless by design), and were spliced into the SQL string literal of the JSON path expression without escaping.
  • qb.where / qb.orderBy / qb.groupBy / qb.having / qb.select keys — keys containing . or :: bypassed the structured-where metadata validator in CriteriaNode, then flowed through the same broken quoteIdentifier. Apps that forwarded raw filter keys from request input were already broken on authorization grounds (e.g. { isAdmin: true }); the SQL injection here is a defence-in-depth failure on top of that.

The vulnerability does not affect documented escape-hatch APIs (raw(), the sql tagged template, qb.raw(), em.raw()) — those are documented as accepting raw SQL and are the application's responsibility to sanitize.

Impact

  • Confidentiality — read from any table/schema the database user has access to (cross-tenant data leak in multi-tenant deployments).
  • Integrity — on dialects supporting multi-statement queries (MSSQL, MySQL with multi-statement enabled), execute additional arbitrary SQL statements (data modification, in-database privilege escalation).
  • Availability — DROP/TRUNCATE via injected statements where the database user has the privilege.

Affected dialects

All SQL dialects supported by MikroORM. The identifier-quoting bug exists in every dialect's quoteIdentifier (the dialect's own quote character — backtick, double quote, or right bracket — was not doubled when embedded in the identifier). The JSON-path bug exists in all dialects' getSearchJsonPropertyKey/quoteJsonKey.

MongoDB driver is not affected (no SQL).

Patches

  • v7: upgrade to 7.0.14 or later.
  • v6: upgrade to 6.6.14 or later.

Patches:

  • Identifier quoting: #7653 (master) / #7654 (6.x)
  • JSON-path keys: #7656 (master) / #7657 (6.x)

Workarounds

If users cannot upgrade immediately:

  • For multi-tenant apps using em.fork({ schema }) / wrap().setSchema() / qb.withSchema(): validate the schema name against a strict allowlist (e.g. ^[A-Za-z_][\w$]*$) before passing it to MikroORM.
  • For applications that pass where / orderBy filters from request input: validate every key against the entity's known properties before constructing the filter; do not pass keys containing . or :: from user input.
  • For applications that allow filtering on JSON columns from request input: validate every JSON sub-key against an allowlist (or against ^[a-zA-Z_][\w]*$) before passing it to em.find.

Credits

Reported and patched by Martin Adámek (project maintainer) during an internal security review.

References

@B4nan B4nan published to mikro-orm/mikro-orm May 5, 2026
Published to the GitHub Advisory Database May 8, 2026
Reviewed May 8, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

EPSS score

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

CVE ID

CVE-2026-44680

GHSA ID

GHSA-cfw5-68c4-ffqp

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.