CVE-2026-22814 Overview
CVE-2026-22814 is a Mass Assignment vulnerability affecting @adonisjs/lucid, an SQL ORM for AdonisJS built on top of Knex. This vulnerability allows remote attackers who can influence data passed into Lucid model assignments to overwrite the internal ORM state. Exploitation may lead to logic bypasses and unauthorized record modification within affected database tables or models.
Critical Impact
Remote attackers can manipulate internal ORM state through crafted input, potentially bypassing application logic and modifying database records without authorization.
Affected Products
- @adonisjs/lucid versions through 21.8.1
- @adonisjs/lucid 22.x pre-release versions prior to 22.0.0-next.6
Discovery Timeline
- 2026-01-13 - CVE CVE-2026-22814 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22814
Vulnerability Analysis
This vulnerability is classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), commonly known as Mass Assignment. Mass Assignment vulnerabilities occur when an application automatically binds user-supplied input to internal object properties without proper filtering or validation.
In the context of @adonisjs/lucid, the ORM allows data binding to model instances in a way that can be exploited by attackers who control the input data. By crafting malicious payloads, an attacker can overwrite internal ORM state that should not be user-modifiable, such as relationship definitions, query scopes, or other protected model attributes.
The attack requires network access and the ability to influence data that flows into Lucid model assignment operations. This typically occurs in API endpoints that accept user input and pass it directly to model creation or update methods without proper attribute filtering.
Root Cause
The root cause lies in insufficient input validation and attribute filtering within the Lucid ORM's model assignment mechanism. When user-controlled data is passed to model methods like create(), fill(), or similar assignment operations, the ORM does not adequately restrict which properties can be modified. This allows attackers to inject values for internal or protected attributes that should not be exposed to external modification.
Attack Vector
The attack is conducted over the network and requires the attacker to identify application endpoints that accept user input and pass it to Lucid model operations. Common attack scenarios include:
- API endpoints that create or update database records based on JSON request bodies
- Form submissions that are bound directly to model instances
- Batch import or synchronization features that process external data
An attacker would craft a request containing additional fields targeting internal ORM properties. When the application processes this input without proper filtering, the malicious values overwrite the intended model state, potentially enabling unauthorized data modification or logic bypass.
The vulnerability does not require authentication in scenarios where the affected endpoints are publicly accessible, though the specific prerequisites depend on the target application's architecture.
Detection Methods for CVE-2026-22814
Indicators of Compromise
- Unusual database modifications affecting fields that should not be user-modifiable
- Application log entries showing unexpected attribute assignments in Lucid model operations
- Requests containing suspicious property names targeting internal ORM attributes (e.g., $attributes, $original, relationship names)
- Unexpected changes to model relationships or computed fields
Detection Strategies
- Implement application-level logging for all model assignment operations to track attribute changes
- Deploy Web Application Firewall (WAF) rules to detect requests with suspicious payload structures targeting ORM internals
- Monitor database audit logs for unauthorized modifications to protected columns
- Review application code for instances where user input is passed directly to model methods without attribute whitelisting
Monitoring Recommendations
- Enable detailed request logging on endpoints that interact with Lucid models
- Set up alerts for database modifications that occur outside of expected business logic patterns
- Implement integrity monitoring for critical database records
- Monitor for error patterns that may indicate exploitation attempts
How to Mitigate CVE-2026-22814
Immediate Actions Required
- Upgrade @adonisjs/lucid to version 21.8.2 or later for stable releases
- Upgrade @adonisjs/lucid to version 22.0.0-next.6 or later for pre-release versions
- Audit all application code to identify endpoints that pass user input to Lucid model assignments
- Implement explicit attribute whitelisting using Lucid's $fillable or $guarded model properties
Patch Information
The vulnerability has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6. For detailed patch information and security guidance, refer to the GitHub Security Advisory.
Workarounds
- Use explicit attribute whitelisting by defining $fillable arrays on all Lucid models
- Implement request validation middleware that strips unexpected properties before model assignment
- Avoid passing raw user input directly to model create(), fill(), or merge() methods
- Use Data Transfer Objects (DTOs) or form request validation to sanitize input before database operations
# Update @adonisjs/lucid to patched version
npm update @adonisjs/lucid@21.8.2
# Or for pre-release channel
npm update @adonisjs/lucid@22.0.0-next.6
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
