Description
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6.
Published: 2026-03-31
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing arbitrary database queries
Action: Immediate Patch
AI Analysis

Impact

A specially crafted object can be interpreted by MikroORM as a raw SQL fragment, creating a classic SQL injection flaw (CWE‑89). If an attacker can supply such an object to the ORM layer, they could execute arbitrary SQL against the connected database, causing data theft, modification, or deletion. The flaw exists prior to version 6.6.10 of the 6.x series and 7.0.6 of the 7.x series.

Affected Systems

The vulnerability affects MikroORM versions earlier than 6.6.10 in the 6.x line and earlier than 7.0.6 in the 7.x line. Any Node.js application that imports the vulnerable library and uses its query construction methods is susceptible, regardless of the backend database.

Risk and Exploitability

The CVSS score of 9.3 signals a high‑severity flaw with ease of exploitation, yet the EPSS score is reported as less than 1%, suggesting that public exploitation is uncommon at the moment. The issue is not listed in CISA’s KEV catalog. While the precise attack vector is not detailed in the CVE, it can be reasonably inferred that an attacker would need to deliver the malicious object through application input that is later passed to MikroORM’s query methods. Further information on authentication requirements is not available from the CVE description.

Generated by OpenCVE AI on April 3, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MikroORM to version 6.6.10 or later for the 6.x series and to 7.0.6 or later for the 7.x series.
  • Verify that all deployments reference the patched versions and that no legacy code paths still construct queries from raw objects.
  • Review application code to ensure that only parameterized query builders or safe abstractions are used when interacting with the ORM, and refactor any custom query logic accordingly.
  • Monitor database logs for unexpected or malformed SQL statements that might indicate an attempted exploitation.

Generated by OpenCVE AI on April 3, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gwhv-j974-6fxm MikroORM is vulnerable to SQL Injection via specially crafted object
History

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mikro-orm mikroorm
CPEs cpe:2.3:a:mikro-orm:mikroorm:*:*:*:*:*:node.js:*:*
Vendors & Products Mikro-orm mikroorm

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Mikro-orm
Mikro-orm mikro-orm
Vendors & Products Mikro-orm
Mikro-orm mikro-orm

Tue, 31 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6.
Title MikroORM is vulnerable to SQL Injection via specially crafted object
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mikro-orm Mikro-orm Mikroorm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:19:12.949Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34220

cve-icon Vulnrichment

Updated: 2026-04-02T15:19:06.315Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T16:16:32.127

Modified: 2026-04-03T15:16:45.420

Link: CVE-2026-34220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:38Z

Weaknesses