CVE-2026-22814

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22814

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22814.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22814

Aliases

GHSA-g5gc-h5hp-555f

Published

2026-01-13T19:42:14.346Z

Modified

2026-03-01T02:56:18.988296Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State

Details

@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-915"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22814.json"
}

References

Affected packages

Git / github.com/adonisjs/lucid

Affected ranges

Type

GIT

Repo

https://github.com/adonisjs/lucid

Events

Introduced

Fixed

ac24b2acb1ed97afaae09d738441f6ab90ab6dca

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "21.8.2"
        }
    ]
}

Type

GIT

Repo

https://github.com/adonisjs/lucid

Events

Introduced

41f98120379da0033d57038abff10a3ee4d7b783

Fixed

72eff799ec1173dee35c2bb9713fb2bc12b521fd

Database specific

{
    "versions": [
        {
            "introduced": "22.0.0-next.0"
        },
        {
            "fixed": "22.0.0-next.6"
        }
    ]
}

Affected versions

v10.*

v10.0.0

v11.*

v11.0.0

v11.0.1

v12.*

v12.0.0

v13.*

v13.0.0

v14.*

v14.0.0

v14.0.1

v14.0.2

v14.1.0

v14.2.0

v15.*

v15.0.0

v15.0.1

v15.0.2

v15.0.3

v16.*

v16.0.0

v16.0.1

v16.0.2

v16.1.0

v16.2.0

v16.2.1

v16.2.2

v16.3.0

v16.3.1

v16.3.2

v17.*

v17.0.0

v17.0.1

v17.1.0

v17.1.1

v17.2.0

v18.*

v18.0.0

v18.0.1

v18.1.0

v18.1.1

v18.2.0

v18.3.0

v18.4.0

v18.4.1

v19.*

v19.0.0

v19.0.0-0

v19.0.0-1

v19.0.0-2

v19.0.0-3

v19.0.0-4

v19.0.0-5

v19.0.0-6

v19.0.0-7

v19.0.0-8

v20.*

v20.0.0

v20.1.0

v20.2.0

v20.3.0

v20.4.0

v20.5.1

v20.6.0

v21.*

v21.0.0

v21.0.1

v21.1.0

v21.1.1

v21.2.0

v21.3.0

v21.4.0

v21.5.0

v21.5.1

v21.6.0

v21.6.1

v21.7.0

v21.8.0

v21.8.1

v22.*

v22.0.0-next.0

v22.0.0-next.1

v22.0.0-next.2

v22.0.0-next.3

v22.0.0-next.4

v22.0.0-next.5

v4.*

v4.0.0

v4.0.1

v4.0.10

v4.0.11

v4.0.12

v4.0.13

v4.0.14

v4.0.15

v4.0.16

v4.0.17

v4.0.18

v4.0.19

v4.0.2

v4.0.20

v4.0.21

v4.0.22

v4.0.23

v4.0.24

v4.0.25

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.9

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v6.*

v6.0.0

v6.0.1

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v7.*

v7.0.0-0

v7.0.1-0

v7.1.0-0

v7.1.1-0

v7.1.2-0

v7.1.3-0

v7.1.4-0

v7.1.5-0

v7.1.6-0

v7.2.0-0

v7.2.1

v7.2.1-0

v7.3.0

v7.3.1

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.5.0

v7.5.1

v7.5.2

v7.5.3

v7.5.4

v7.5.5

v7.6.0

v7.6.1

v7.6.2

v7.6.3

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.1.0

v8.1.1

v8.2.0

v8.2.1

v8.2.2

v8.3.1

v8.4.0

v8.4.1

v8.4.2

v8.4.3

v8.4.4

v8.5.0

v9.*

v9.0.0

v9.0.1

v9.0.2

v9.0.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22814.json"