CVE-2026-26198
Published: 24 February 2026
Summary
CVE-2026-26198 is a critical-severity SQL Injection (CWE-89) vulnerability in Collerek Ormar. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied column names before passing to SQL functions like min() and max(), directly preventing SQL injection exploitation in Ormar aggregate queries.
Mandates timely remediation of known flaws by upgrading Ormar to version 0.23.0 or later, eliminating the unvalidated input vulnerability.
Enables vulnerability scanning to identify and prioritize the SQL injection flaw in Ormar versions 0.9.9 through 0.22.0 for remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public ORM enables remote unauthenticated exploitation of apps (T1190) and direct arbitrary access to database contents (T1213.006).
NVD Description
Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods…
more
in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter. Version 0.23.0 contains a patch.
Deeper analysisAI
CVE-2026-26198 is a SQL injection vulnerability in Ormar, an async mini ORM for Python. Affecting versions 0.9.9 through 0.22.0, the flaw occurs during aggregate queries where the QuerySet class's min() and max() methods accept arbitrary string input as the column parameter and pass it directly into sqlalchemy.text() without validation or sanitization. While sum() and avg() include a partial is_numeric type check that rejects non-existent fields, min() and max() bypass this entirely, allowing attacker-controlled strings to be embedded as raw SQL within the aggregate function call.
Any unauthorized remote attacker can exploit this vulnerability over the network with low complexity and no privileges, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By injecting a subquery as the column parameter, the attacker can read the entire database contents, including tables unrelated to the queried model, achieving high confidentiality, integrity, and availability impacts (CWE-89).
The Ormar project has addressed the issue in version 0.23.0, as detailed in the security advisory (GHSA-xxh2-68g9-8jqr), release notes, and patching commit (a03bae14fe01358d3eaf7e319fcd5db2e4956b16). Security practitioners should urge users to upgrade to 0.23.0 or later to mitigate the risk.
Details
- CWE(s)