Description
Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.
Published: 2026-02-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Data Access
Action: Immediate Patch
AI Analysis

Impact

Ormar is a lightweight asynchronous ORM for Python. In versions 0.9.9 through 0.22.0 aggregate queries reconstruct SQL by inserting the user‑supplied column name directly into the SQL expression via sqlalchemy.text() without validation. The min() and max() functions accept arbitrary strings as the column parameter and perform no type checking, unlike sum() or avg(). As a result, an attacker can inject a subquery or complex expression into the aggregate function, which is executed by the database engine. This flaw allows anyone who can submit a query to read arbitrary database tables, thereby compromising data confidentiality and integrity for the entire database.

Affected Systems

The vulnerability affects the Collerek Ormar library, versions 0.9.9 through 0.22.0. A fix was introduced in release 0.23.0. This includes all Python implementations that use Ormar for database interaction under the cited version range.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity for unauthenticated or low‑privileged attackers. The EPSS score of less than 1% implies a low overall exploitation probability at present, but the fact that the code paths are exposed through application APIs means that exploitation could occur via normal user interaction. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, so no publicly known exploits have been documented yet. An attacker who can manipulate the column parameter—e.g., via a public API endpoint—can craft an input that introduces a subquery, retrieve all rows from unrelated tables, or exfiltrate sensitive data. The absence of input validation in min() and max() means the attack can succeed without additional credentials beyond whatever the application permits.

Generated by OpenCVE AI on April 17, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ormar library to version 0.23.0 or later to apply the vendor patch that validates column names for aggregate functions.
  • If an upgrade is not possible, audit all code that uses min() or max() in queries and ensure the column argument is validated against a whitelist of existing model fields before passing it to the ORM.
  • When immediate remediation is needed, temporarily disable or remove calls to min() and max() in public-facing parts of the application until validation can be enforced.
  • Monitor application logs for unusual aggregate queries or failed database operations that might indicate an attempt to exploit the vulnerability.

Generated by OpenCVE AI on April 17, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xxh2-68g9-8jqr ormar is vulnerable to SQL Injection through aggregate functions min() and max()
History

Wed, 25 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:collerek:ormar:*:*:*:*:*:python:*:*

Wed, 25 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Collerek
Collerek ormar
Vendors & Products Collerek
Collerek ormar

Tue, 24 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.
Title ormar is vulnerable to SQL Injection through aggregate functions min() and max()
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Collerek Ormar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T20:35:44.673Z

Reserved: 2026-02-11T19:56:24.813Z

Link: CVE-2026-26198

cve-icon Vulnrichment

Updated: 2026-02-24T20:29:22.532Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T03:16:01.100

Modified: 2026-02-25T19:41:02.680

Link: CVE-2026-26198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')