DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26198: Ormar's Aggregate Amnesia: Critical SQL Injection in min() and max()

#security #cve #cybersecurity

Ormar's Aggregate Amnesia: Critical SQL Injection in min() and max()

Vulnerability ID: CVE-2026-26198
CVSS Score: 9.8
Published: 2026-02-23

A critical SQL injection vulnerability in the Ormar Python ORM allows attackers to execute arbitrary subqueries via the min() and max() aggregate functions. While numeric aggregates like sum() were validated, min/max inputs were passed directly to a raw SQL sink, bypassing sanitization.

TL;DR

Ormar versions 0.9.9 through 0.22.0 contain a critical SQL injection flaw. The library fails to validate column names passed to min() and max() functions, passing them directly to sqlalchemy.text(). This allows unauthenticated attackers to dump the entire database via subqueries.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-89 (SQL Injection)
  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network
  • Privileges Required: None
  • Exploit Maturity: Proof of Concept (PoC) Available
  • Patch Status: Available (v0.23.0)

Affected Systems

  • Python applications using ormar < 0.23.0
  • FastAPI services using ormar for database interaction
  • Starlette applications using ormar
  • ormar: >= 0.9.9, <= 0.22.0 (Fixed in: 0.23.0)

Code Analysis

Commit: a03bae1

Fix SQL injection in min/max aggregate functions

@@ -704,8 +704,13 @@ async def _query_aggr_function(self, func_name: str, columns: List) -> Any:
         if func_name in ["sum", "avg"]:
             if any(not x.is_numeric for x in select_actions):
                 raise QueryDefinitionError(...)
+        if any(x.field_name not in x.target_model.model_fields for x in select_actions):
+            raise QueryDefinitionError(
+                "You can use aggregate functions only on existing columns of the target model"
+            )
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Local PoC: Exploit demonstrated in security advisory extracting database schema via max()

Mitigation Strategies

  • Upgrade to Ormar v0.23.0+
  • Implement strict input whitelisting for all sorting/filtering parameters
  • Use WAF rules to detect SQL keywords in query parameters

Remediation Steps:

  1. Identify all usages of .min() and .max() in the codebase.
  2. Check if the arguments to these functions are derived from user input.
  3. Update requirements.txt to pin ormar>=0.23.0.
  4. Deploy the updated application.

References

Read the full report for CVE-2026-26198 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)