cbcvebase.
CVE-2026-27953
published 2026-03-19

CVE-2026-27953: ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.19%
64.1th percentile
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.

Affected

5 ranges
VendorProductVersion rangeFixed in
collerekormar< 0.23.10.23.1
collerekormar>= 0 < 0.23.1-10.23.1-1
collerekormar>= 0 < 0.23.10.23.1
debianormar< ormar 0.23.1-1 (forky)ormar 0.23.1-1 (forky)
ormar-ormormar< 0.23.10.23.1

Detection & IOCsextracted from sources · hover to see the quote

other"__pk_only__": true
other__excluded__
  • Inspect incoming JSON request bodies for the presence of the key '__pk_only__' set to true — this is the primary injection vector to bypass all Pydantic field validation in ormar models.
  • Inspect incoming JSON request bodies for the presence of the key '__excluded__' — this secondary injection vector can selectively nullify arbitrary model fields such as email or role during ormar model construction.
  • Focus detection on FastAPI endpoints that use ormar.Model directly as a request body parameter, as this is the canonical integration pattern affected by this vulnerability.
  • ·Debian bookworm remains open/unpatched for this CVE; forky and sid are resolved with the 0.23.1-1 package.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.