CVE-2026-44680 HIGH

CVE-2026-44680: MikroORM: SQL injection via runtime-controlled identifiers and JSON-path keys

Vendor Mikro-Orm

Product mikro-orm

Weakness CWE-89 · SQLi

Published May 26, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14.

Key dates

02Disclosure timeline

May 26, 2026 CVE published

May 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-44680 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

Identifiers

CVE CVE-2026-44680

CWE CWE-89

CVSS 7.6 / HIGH

Affected versions

Vendor Mikro-Orm

Product mikro-orm

Affected >= 7.0.0-rc.0, < 7.0.14

Vendor Mikro-Orm

Product mikro-orm

Affected < 6.6.14

Vendor @Mikro-Orm

Product knex

Affected < 6.6.14

Vendor @Mikro-Orm

Product sql

Affected < 7.0.14

CVE-2026-44680: MikroORM: SQL injection via runtime-controlled identifiers and JSON-path keys

01Description

02Disclosure timeline

03References

04Related CVE