Source: ormar Version: 0.22.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ormar. CVE-2026-26198[0]: | Ormar is a async mini ORM for Python. In versions 0.9.9 through | 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL | expressions by passing user-supplied column names directly into | `sqlalchemy.text()` without any validation or sanitization. The | `min()` and `max()` methods in the `QuerySet` class accept arbitrary | string input as the column parameter. While `sum()` and `avg()` are | partially protected by an `is_numeric` type check that rejects non- | existent fields, `min()` and `max()` skip this validation entirely. | As a result, an attacker-controlled string is embedded as raw SQL | inside the aggregate function call. Any unauthorized user can | exploit this vulnerability to read the entire database contents, | including tables unrelated to the queried model, by injecting a | subquery as the column parameter. Version 0.23.0 contains a patch. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-26198 https://www.cve.org/CVERecord?id=CVE-2026-26198 [1] https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr [2] https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
