PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44680 mikro-orm CVE debrief

MikroORM, a TypeScript ORM for Node.js, contains an SQL injection vulnerability in versions prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14. The vulnerability resides in the identifier-quoting helper (Platform.quoteIdentifier and PostgreSQL/MSSQL overrides) and JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey), which fail to properly escape characters that delimit SQL identifier or string-literal contexts. When application code passes attacker-influenced strings to public ORM APIs expecting identifiers or JSON-property filters, an attacker can break out of the quoted context and inject arbitrary SQL. The CVSS 3.1 score of 7.6 (HIGH) reflects network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality impact with low integrity and availability impact. The vulnerability was published on May 26, 2026, and is classified under CWE-89 (SQL Injection). No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Vendor
mikro-orm
Product
Unknown
CVSS
HIGH 7.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations using MikroORM in Node.js applications, particularly those accepting user input for dynamic identifier selection or JSON property filtering. Development teams maintaining applications with custom ORM query construction or direct Platform API usage should prioritize this update.

Technical summary

The vulnerability stems from insufficient escaping in MikroORM's platform-specific identifier quoting and JSON-path key emission functions. The Platform.quoteIdentifier method and its PostgreSQL/MSSQL overrides, along with Platform.getSearchJsonPropertyKey and quoteJsonKey, do not adequately escape delimiter characters. This allows SQL context breakout when untrusted input reaches these code paths through public ORM APIs. The fix in versions 6.6.14 (knex) and 7.0.14 (sql) implements proper escaping to prevent injection.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade @mikro-orm/knex to version 6.6.14 or later, or @mikro-orm/sql to version 7.0.14 or later
  • Audit application code for any direct usage of Platform.quoteIdentifier, Platform.getSearchJsonPropertyKey, or quoteJsonKey with user-supplied input
  • Review ORM query construction patterns to ensure attacker-influenced strings are not passed to identifier or JSON-property filter APIs
  • Implement input validation and sanitization for any strings used as database identifiers or JSON path keys
  • Monitor application logs for anomalous SQL query patterns that may indicate attempted injection
  • Consider using parameterized queries or ORM abstraction layers that do not expose raw identifier quoting to application code

Evidence notes

Vulnerability description and affected versions derived from official CVE record and GitHub Security Advisory. CVSS vector and score from NVD source data. Fix versions confirmed through multiple pull requests addressing the quoting and JSON-path emission issues.

Official resources

2026-05-26T17:16:46.540Z