Description
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14.
Published: 2026-05-26
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MikroORM’s identifier quoting helper and JSON-path emitters failed to escape delimiters, allowing an attacker‑controlled string to break out of the quoted context and inject arbitrary SQL. The vulnerability is represented by CWE‑89 and affects applications that directly supply table or column names, or JSON path keys, from external input. If exploited, an attacker could execute arbitrary SQL statements, potentially compromising confidentiality, integrity, or availability of the database.

Affected Systems

It affects the MikroORM library for Node.js, specifically the @mikro‑orm/knex adapter versions earlier than 6.6.14 and the @mikro‑orm/sql adapter versions earlier than 7.0.14. Any project using these adapters that passes untrusted data to ORM APIs that expect identifiers or JSON property filters is vulnerable. The issue also applies to the core mikro‑orm package used together with those adapters.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity. EPSS is not available, and the vulnerability is not listed in CISA KEV, but because it permits arbitrary SQL injection, attackers with access to application input that is forwarded to the ORM can exploit it. The likely attack vector is from a web or API endpoint where user data is supplied to a query involving a table name or JSON key. Successful exploitation could lead to unauthorized database access or modification.

Generated by OpenCVE AI on May 26, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @mikro‑orm/knex to version 6.6.14 or newer and @mikro‑orm/sql to version 7.0.14 or newer.
  • Ensure that user‑supplied strings are never used directly as identifiers or JSON keys; validate them against a whitelist or use parameterized identifiers where possible.
  • If upgrading immediately is not possible, disable dynamic identifier creation in your application until the patch is applied, and schedule a code review to enforce the rule.

Generated by OpenCVE AI on May 26, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cfw5-68c4-ffqp MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys
History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikro-orm
Mikro-orm knex
Mikro-orm mikro-orm
Mikro-orm sql
Vendors & Products Mikro-orm
Mikro-orm knex
Mikro-orm mikro-orm
Mikro-orm sql

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14.
Title MikroORM: SQL injection via runtime-controlled identifiers and JSON-path keys
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Mikro-orm Knex Mikro-orm Sql
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T17:40:52.485Z

Reserved: 2026-05-07T16:20:08.660Z

Link: CVE-2026-44680

cve-icon Vulnrichment

Updated: 2026-05-26T17:40:39.560Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T17:16:46.540

Modified: 2026-05-26T20:24:19.650

Link: CVE-2026-44680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:09:09Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')