MikroORM, SQL Injection, CVE-2026-XXXXX (Critical)

Listen to this Post

How the Mentioned CVE Works

The vulnerability stems from MikroORM’s legacy use of duck typing to identify its internal objects. Prior to the patch, the ORM checked for the presence of specific property names (e.g., `__entity` or __helper) to determine if an input was an entity instance. An attacker can craft a plain JavaScript object that includes these exact marker properties. When this specially crafted object is passed to write APIs like wrap(entity).assign(userInput), em.nativeUpdate(), or em.create(), the ORM mistakenly treats it as a raw internal query fragment. Consequently, any properties on this object, including those with malicious SQL syntax, are interpolated directly into the generated SQL query without proper sanitization, leading to SQL injection. The fix replaces these guessable string-based markers with unique JavaScript symbols that cannot be replicated by user input, thereby closing the injection vector.
Platform: Node.js
Version: <6.6.10, 7.0.0-dev.0-7.0.5
Vulnerability: SQL Injection
Severity: Critical
date: 2026-03-29

Prediction: 2026-03-30

What Undercode Say:

Analytics reveal that exploitation attempts target `em.create()` and `em.nativeUpdate()` flows. Monitor for objects containing `__entity` or `__helper` keys in request bodies.

Check for vulnerable versions
npm list @mikro-orm/core
grep -E '"(mikro-orm|@mikro-orm/core)": "(6.[0-5].|7.0.[0-5])"' package.json

How Exploit:

An attacker sends a JSON object with a property named `__helper` containing malicious SQL.

// Example malicious payload
const payload = {
username: "admin",
__helper: {
raw: "'; DELETE FROM users; --"
}
};
await em.nativeUpdate(User, { id: 1 }, payload);

Protection from this CVE

Upgrade to MikroORM version 6.6.10 or 7.0.6 immediately. Implement strict input validation to reject objects containing non-schema properties. Use a schema validation library (e.g., Zod, Joi) to ensure data types match entity definitions before passing to ORM methods.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the database, potentially leading to data exfiltration, data loss, or full database server compromise. Applications using dynamic object assignment without strict schema validation are at highest risk.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top