CVE-2026-27953

CVE-2026-27953 is a Pydantic validation bypass vulnerability in ormar, an async mini ORM for Python. Versions 0.23.0 and below are affected, where attackers can inject "__pk_only__": true into a JSON request body via the model constructor to skip all field validation and persist unvalidated data directly to the database. A secondary injection using the "__excluded__" parameter allows selective nullification of arbitrary model fields, such as email or role, during construction. This issue impacts ormar's canonical FastAPI integration pattern, as recommended in its official documentation, when using ormar.Model directly as a request body parameter.

An unauthenticated attacker can exploit this vulnerability over the network with low privileges by crafting a JSON request body containing the malicious parameters. Successful exploitation enables privilege escalation, data integrity violations, and business logic bypass in affected applications, as unvalidated or manipulated data is persisted to the database. The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), highlighting high integrity and low availability impact, mapped to CWE-20 (Improper Input Validation) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes).

The vulnerability has been fixed in ormar version 0.23.1. References point to specific code locations in the ormar GitHub repository, including the FastAPI quick start example and model construction logic in files like foreign_key.py, pydantic.py, model.py, and newbasemodel.py, confirming the root cause in the model's Pydantic integration. Security practitioners should upgrade to the patched version and review applications using ormar with FastAPI for exposure.