CVE-2026-26198

Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into sqlalchemy.text() without any validation or sanitization. The min() and max() methods in the QuerySet class accept arbitrary string input as the column parameter. While sum() and avg() are partially protected by an is_numeric type check that rejects non-existent fields, min() and max() skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26198.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

Git / github.com/collerek/ormar

Affected ranges

Type

GIT

Repo

https://github.com/collerek/ormar

Events

Introduced

61c456a01f32e3875a4b881cf07a8e0334b2e21d

Fixed

a03bae14fe01358d3eaf7e319fcd5db2e4956b16

Database specific

{
    "versions": [
        {
            "introduced": "0.9.9"
        },
        {
            "fixed": "0.23.0"
        }
    ]
}

Affected versions

0.*

0.10.0

0.10.1

0.10.10

0.10.11

0.10.12

0.10.13

0.10.14

0.10.15

0.10.16

0.10.17

0.10.18

0.10.19

0.10.2

0.10.20

0.10.21

0.10.22

0.10.23

0.10.24

0.10.25

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

0.11.0

0.11.1

0.11.2

0.11.3

0.12.0

0.12.1

0.12.2

0.20.1

0.20.2

0.21.0

0.22.0

0.9.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26198.json"

Git / github.com/ormar-orm/ormar