Source: ormar Version: 0.23.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ormar. CVE-2026-27953[0]: | ormar is a async mini ORM for Python. Versions 0.23.0 and below are | vulnerable to Pydantic validation bypass through the model | constructor, allowing any unauthenticated user to skip all field | validation by injecting "__pk_only__": true into a JSON request | body. By injecting "__pk_only__": true into a JSON request body, an | unauthenticated attacker can skip all field validation and persist | unvalidated data directly to the database. A secondary __excluded__ | parameter injection uses the same pattern to selectively nullify | arbitrary model fields (e.g., email or role) during construction. | This affects ormar's canonical FastAPI integration pattern | recommended in its official documentation, enabling privilege | escalation, data integrity violations, and business logic bypass in | any application using ormar.Model directly as a request body | parameter. This issue has been fixed in version 0.23.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27953 https://www.cve.org/CVERecord?id=CVE-2026-27953 [1] https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8 [2] https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
