CVE-2026-27953 Overview
CVE-2026-27953 is a Pydantic validation bypass vulnerability in ormar, an async mini ORM for Python. Versions 0.23.0 and below are vulnerable to validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body. This vulnerability enables attackers to persist unvalidated data directly to the database, leading to privilege escalation, data integrity violations, and business logic bypass.
A secondary attack vector exists through the __excluded__ parameter injection, which uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This vulnerability specifically affects ormar's canonical FastAPI integration pattern recommended in its official documentation.
Critical Impact
Unauthenticated attackers can bypass all Pydantic field validation and persist malicious data directly to the database, enabling privilege escalation and business logic bypass in any application using ormar.Model directly as a request body parameter.
Affected Products
- ormar versions ≤ 0.23.0
- Applications using ormar.Model directly as FastAPI request body parameters
- Python applications using the ormar async ORM with Pydantic validation
Discovery Timeline
- 2026-03-19 - CVE CVE-2026-27953 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-27953
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in ormar's model construction process. When ormar models are used as FastAPI request body parameters, the framework passes user-controlled JSON data directly to the model constructor. The internal __pk_only__ flag, intended for internal ORM operations when retrieving partial objects from the database, was inadvertently exposed to user input. When this flag is set to true in a request body, ormar bypasses all Pydantic validation logic, treating the object as a partial primary-key-only instance.
The attack is particularly severe because it targets the officially recommended FastAPI integration pattern documented in ormar's examples. Any application following the official FastAPI quick start example is vulnerable by default. The network-accessible attack vector with low complexity makes this vulnerability exploitable without requiring special privileges.
Root Cause
The root cause lies in the NewBaseModel implementation where internal constructor parameters (__pk_only__ and __excluded__) were not properly sanitized from external input. These parameters control critical validation logic:
- __pk_only__: When set to true, signals the model to skip full validation and treat the instance as containing only a primary key reference
- __excluded__: Allows specifying which fields should be excluded (nullified) during model construction
The NewBaseModel implementation accepted these parameters from any source, including untrusted user input in HTTP request bodies.
Attack Vector
An attacker can exploit this vulnerability by sending a malicious JSON payload to any FastAPI endpoint that accepts an ormar model as a request body parameter. The attack requires no authentication and can be performed remotely over the network.
Validation Bypass Attack:
By including "__pk_only__": true in the JSON request body, all Pydantic field validators are bypassed, allowing:
- Invalid data types to be persisted
- Required fields to be omitted
- Constraint violations to go undetected
Field Nullification Attack:
By injecting "__excluded__": ["email", "role"], an attacker can selectively nullify critical fields during model construction, potentially:
- Removing email verification requirements
- Bypassing role-based access controls
- Nullifying audit fields
# Source: https://github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3
# Security patch in ormar/models/model_row.py - Fix/remove kwargs injection (#1582)
instance: Optional["Model"] = None
if item.get(cls.ormar_config.pkname, None) is not None:
- item["__excluded__"] = cls.get_names_to_exclude(
+ excluded = cls.get_names_to_exclude(
excludable=excludable, alias=table_prefix
)
- instance = cast("Model", cls(**item))
+ instance = cast("Model", cls._construct_with_excluded(excluded, **item))
instance.set_save_status(True)
return instance
Detection Methods for CVE-2026-27953
Indicators of Compromise
- HTTP request bodies containing __pk_only__ or __excluded__ parameters in JSON payloads
- Database records with unexpected null values in required fields
- Log entries showing successful data persistence with validation errors that should have been caught
- Unusual patterns of privilege escalation or role modifications in application logs
Detection Strategies
- Implement WAF rules to detect and block requests containing __pk_only__ or __excluded__ in JSON request bodies
- Monitor application logs for database insertion operations that bypass expected validation patterns
- Deploy SIEM rules to correlate unusual field modifications with specific user sessions
- Audit database tables for records with invalid or unexpected null values in required fields
Monitoring Recommendations
- Enable detailed logging for all FastAPI endpoints that accept ormar models as request bodies
- Set up alerts for any HTTP requests containing suspicious internal parameter names in JSON payloads
- Monitor for sudden changes in user roles or permissions without corresponding admin actions
- Implement integrity checks on critical database fields to detect unexpected modifications
How to Mitigate CVE-2026-27953
Immediate Actions Required
- Upgrade ormar to version 0.23.1 or later immediately
- Audit application code to identify all endpoints using ormar.Model directly as FastAPI request body parameters
- Review database records created during the vulnerable period for data integrity issues
- Implement input sanitization as a defense-in-depth measure to strip internal parameters from request bodies
Patch Information
The vulnerability has been fixed in ormar version 0.23.1. The fix introduces a new _construct_with_excluded method that separates internal construction parameters from user-provided input, preventing injection of internal flags through request bodies.
Detailed patch information is available in the GitHub Release 0.23.1 Details and the GitHub Security Advisory GHSA-f964-whrq-44h8.
Workarounds
- If immediate upgrade is not possible, create wrapper Pydantic models that explicitly define allowed fields and validate input before passing to ormar models
- Implement middleware to strip __pk_only__, __excluded__, and other internal ormar parameters from all incoming JSON request bodies
- Use FastAPI's dependency injection to sanitize request data before it reaches ormar model constructors
- Deploy WAF rules to block requests containing internal ormar parameter names as an interim protective measure
# Upgrade ormar to patched version
pip install --upgrade ormar>=0.23.1
# Verify installed version
pip show ormar | grep Version
# If using requirements.txt, update the pinned version
sed -i 's/ormar.*/ormar>=0.23.1/' requirements.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
