CVE-2026-27953
published 2026-03-19CVE-2026-27953: ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.19%
64.1th percentile
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| collerek | ormar | < 0.23.1 | 0.23.1 |
| collerek | ormar | >= 0 < 0.23.1-1 | 0.23.1-1 |
| collerek | ormar | >= 0 < 0.23.1 | 0.23.1 |
| debian | ormar | < ormar 0.23.1-1 (forky) | ormar 0.23.1-1 (forky) |
| ormar-orm | ormar | < 0.23.1 | 0.23.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect incoming JSON request bodies for the presence of the key '__pk_only__' set to true — this is the primary injection vector to bypass all Pydantic field validation in ormar models. ↗
- →Inspect incoming JSON request bodies for the presence of the key '__excluded__' — this secondary injection vector can selectively nullify arbitrary model fields such as email or role during ormar model construction. ↗
- →Focus detection on FastAPI endpoints that use ormar.Model directly as a request body parameter, as this is the canonical integration pattern affected by this vulnerability. ↗
- ·Debian bookworm remains open/unpatched for this CVE; forky and sid are resolved with the 0.23.1-1 package. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor
ghsa·2026-03-19
CVE-2026-27953 [HIGH] CWE-20 ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor
ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor
### Summary
A Pydantic validation bypass in `ormar`'s model constructor allows any unauthenticated user to skip **all** field validation — type checks, constraints, `@field_validator`/`@model_validator` decorators, choices enforcement, and required-field checks — by injecting `"__pk_only__": true` into a JSON request body. The unvalidated data is subsequently persisted to the database. This affects the **canonical usage pattern** recommended in ormar's official documentation and examples.
A secondary `__excluded__` parameter injection uses the same design pattern to selectively nullify arbitrary model fields during construction.
### Details
**Root cause:** `NewBaseModel.__init__` ([
OSV
ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor
osv·2026-03-19
CVE-2026-27953 [HIGH] ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor
ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor
### Summary
A Pydantic validation bypass in `ormar`'s model constructor allows any unauthenticated user to skip **all** field validation — type checks, constraints, `@field_validator`/`@model_validator` decorators, choices enforcement, and required-field checks — by injecting `"__pk_only__": true` into a JSON request body. The unvalidated data is subsequently persisted to the database. This affects the **canonical usage pattern** recommended in ormar's official documentation and examples.
A secondary `__excluded__` parameter injection uses the same design pattern to selectively nullify arbitrary model fields during construction.
### Details
**Root cause:** `NewBaseModel.__init__` ([
OSV
CVE-2026-27953: ormar is a async mini ORM for Python
osv·2026-03-19·CVSS 9.8
CVE-2026-27953 [CRITICAL] CVE-2026-27953: ormar is a async mini ORM for Python
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using
Debian
CVE-2026-27953: ormar - ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable t...
vendor_debian·2026·CVSS 7.1
CVE-2026-27953 [HIGH] CVE-2026-27953: ormar - ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable t...
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using
No detection rules found.
No public exploits indexed.
https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3https://github.com/ormar-orm/ormar/releases/tag/0.23.1https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8
2026-03-19
Published