CVE-2026-44680 Overview
CVE-2026-44680 is a SQL injection vulnerability in MikroORM, a TypeScript Object-Relational Mapper (ORM) for Node.js. The flaw affects @mikro-orm/knex versions prior to 6.6.14 and @mikro-orm/sql versions prior to 7.0.14. The vulnerability resides in MikroORM's identifier-quoting helper (Platform.quoteIdentifier) and JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey), which fail to escape delimiter characters in SQL identifier and string-literal contexts. Attackers who supply crafted strings to public ORM APIs expecting identifiers or JSON-property filters can break out of the quoted context and inject arbitrary SQL [CWE-89].
Critical Impact
Authenticated attackers with the ability to influence identifier or JSON-path inputs can execute arbitrary SQL statements against the backing database.
Affected Products
- @mikro-orm/knex versions prior to 6.6.14
- @mikro-orm/sql versions prior to 7.0.14
- MikroORM PostgreSQL and MSSQL platform overrides
Discovery Timeline
- 2026-05-26 - CVE-2026-44680 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-44680
Vulnerability Analysis
The vulnerability stems from incomplete escaping in two related code paths within MikroORM's SQL generation layer. The Platform.quoteIdentifier method, along with PostgreSQL and MSSQL overrides, wraps identifiers in double quotes or square brackets but does not escape embedded delimiter characters. Similarly, Platform.getSearchJsonPropertyKey and quoteJsonKey emit JSON paths into string-literal contexts without sanitizing single quotes or path separators.
When application code forwards user-controlled values to ORM APIs that expect an identifier (such as a column name, table alias, or sort field) or a JSON-property filter, the attacker-controlled string is concatenated directly into the generated SQL. An attacker can supply a payload containing the closing quote character followed by additional SQL, escaping the intended quoted context and executing arbitrary statements.
The issue is classified under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command). Exploitation requires that the application expose these APIs to attacker-influenced input, which is common in dynamic query builders, sorting parameters, and JSON-field search endpoints.
Root Cause
The root cause is missing neutralization of delimiter characters in identifier-quoting and JSON-path emission functions. MikroORM assumed callers would pass trusted strings to these helpers and therefore relied on simple wrapping rather than full escaping. PostgreSQL identifiers require doubling embedded " characters, and MSSQL requires doubling ]. JSON path emitters require escaping single quotes within the literal string. None of these protections were applied.
Attack Vector
The attack vector is network-based and requires low privileges. An attacker submits a crafted identifier or JSON-path string through any application endpoint that passes the value to the affected ORM APIs. Typical entry points include sort/order-by parameters, dynamic column selectors, and JSON-field filters exposed by REST or GraphQL layers. See the GitHub Security Advisory GHSA-cfw5-68c4-ffqp for further technical context.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in prose based on the upstream advisory and patches in Pull Request #7653, #7654, #7656, and #7657.
Detection Methods for CVE-2026-44680
Indicators of Compromise
- Database query logs containing unexpected quote characters, semicolons, or SQL keywords inside identifier positions or JSON-path expressions.
- Application logs showing user-supplied values for orderBy, groupBy, or JSON-field filter parameters that contain ", ], ', or backslash sequences.
- Unusual database errors referencing syntax failures in identifier-quoted contexts following requests with crafted query parameters.
Detection Strategies
- Inventory all calls to MikroORM APIs that accept identifier or JSON-path arguments and audit whether their input originates from user-controlled sources.
- Enable database-side query logging and search for malformed identifiers or string literals indicative of injection attempts.
- Deploy a web application firewall rule that flags identifier-like parameters containing quote, bracket, or semicolon characters.
Monitoring Recommendations
- Monitor outbound database queries for statements that deviate from the application's expected query shape baseline.
- Alert on authentication-context principals issuing SQL statements outside their normal role scope.
- Track upgrade status of @mikro-orm/knex and @mikro-orm/sql across all Node.js services in the environment.
How to Mitigate CVE-2026-44680
Immediate Actions Required
- Upgrade @mikro-orm/knex to version 6.6.14 or later.
- Upgrade @mikro-orm/sql to version 7.0.14 or later.
- Audit application code for direct or indirect calls to Platform.quoteIdentifier, Platform.getSearchJsonPropertyKey, and quoteJsonKey that receive untrusted input.
- Validate and allow-list identifier values (table names, column names, sort fields) before passing them to ORM APIs.
Patch Information
The vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14. The fixes implement proper escaping of delimiter characters in identifier-quoting helpers and JSON-path emitters. Patch details are available in Pull Request #7653, #7654, #7656, and #7657.
Workarounds
- Restrict identifier and JSON-path inputs to a server-side allow-list of known-safe values before passing them to MikroORM.
- Reject any identifier parameter containing characters outside [A-Za-z0-9_] at the application boundary.
- Apply least-privilege database accounts so ORM connections cannot execute destructive statements or access unrelated schemas.
# Configuration example
npm install @mikro-orm/knex@^6.6.14
npm install @mikro-orm/sql@^7.0.14
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
