Description
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.
Published: 2026-03-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data integrity compromise and privilege escalation
Action: Patch
AI Analysis

Impact

An attacker can exploit a flaw in ormar, an asynchronous Python ORM, by inserting the special key "__pk_only__" with a value of true into a JSON request body. This bypasses all Pydantic validation performed by the model constructor, allowing the attacker to persist forged or malformed data directly into the database. A complementary "__excluded__" injection can selectively nullify arbitrary fields during construction, further enabling the attacker to null out sensitive fields such as email or role. The result is a violation of data integrity, the potential for privilege escalation, and a bypass of business logic for any application that employs ormar.Model directly as a request body parameter in its FastAPI integration.

Affected Systems

The vulnerability affects the ormar ORM library, specifically versions 0.23.0 and earlier. Software that incorporates ormar for request parsing using the recommended FastAPI pattern is at risk. Any Python application that accepts request bodies mapped to ormar.Model instances, regardless of its overall architecture, is susceptible if it uses an affected version of ormar.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity, while the EPSS score is below 1%, suggesting a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA's KEV catalog. The attack path is straightforward: an unauthenticated party can send a crafted JSON payload containing the special keys to an exposed API endpoint that deserializes the body into an ormar.Model instance. Because the model constructor is invoked automatically by FastAPI, no additional privileges are required. Once the bypass is achieved, the attacker can insert malicious data into the database, potentially altering or deleting crucial records and enabling further compromises.

Generated by OpenCVE AI on March 28, 2026 at 05:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ormar release (0.23.1 or later).
  • If immediate upgrade is not possible, refrain from using ormar.Model for request body validation and instead perform explicit field validation in your application logic.

Generated by OpenCVE AI on March 28, 2026 at 05:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f964-whrq-44h8 ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor
History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Collerek
Collerek ormar
CPEs cpe:2.3:a:collerek:ormar:*:*:*:*:*:python:*:*
Vendors & Products Collerek
Collerek ormar

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ormar-orm
Ormar-orm ormar
Vendors & Products Ormar-orm
Ormar-orm ormar

Thu, 19 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.
Title ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor
Weaknesses CWE-20
CWE-915
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Collerek Ormar
Ormar-orm Ormar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:10:57.521Z

Reserved: 2026-02-25T03:11:36.691Z

Link: CVE-2026-27953

cve-icon Vulnrichment

Updated: 2026-03-20T17:04:45.691Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:09.573

Modified: 2026-03-27T21:48:05.810

Link: CVE-2026-27953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:56Z

Weaknesses