Cyber Posture

CVE-2026-27953

HighPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0042 62.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27953 is a high-severity Improper Input Validation (CWE-20) vulnerability in Collerek Ormar. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly enforces input validation at entry points to prevent bypass of Pydantic field validations in ormar model constructors via malicious JSON parameters like '__pk_only__'.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation by patching ormar to version 0.23.1, eliminating the validation bypass vulnerability in the model constructor.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on input fields at API boundaries, blocking injection of unauthorized parameters such as '__pk_only__' and '__excluded__' in JSON request bodies.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability is a public-facing FastAPI application flaw exploitable over the network (T1190). It directly enables privilege escalation by bypassing validation to persist manipulated data like roles (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "__pk_only__": true into a JSON request body.…

more

By injecting "__pk_only__": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary __excluded__ parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity violations, and business logic bypass in any application using ormar.Model directly as a request body parameter. This issue has been fixed in version 0.23.1.

Deeper analysisAI

CVE-2026-27953 is a Pydantic validation bypass vulnerability in ormar, an async mini ORM for Python. Versions 0.23.0 and below are affected, where attackers can inject "__pk_only__": true into a JSON request body via the model constructor to skip all field validation and persist unvalidated data directly to the database. A secondary injection using the "__excluded__" parameter allows selective nullification of arbitrary model fields, such as email or role, during construction. This issue impacts ormar's canonical FastAPI integration pattern, as recommended in its official documentation, when using ormar.Model directly as a request body parameter.

An unauthenticated attacker can exploit this vulnerability over the network with low privileges by crafting a JSON request body containing the malicious parameters. Successful exploitation enables privilege escalation, data integrity violations, and business logic bypass in affected applications, as unvalidated or manipulated data is persisted to the database. The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), highlighting high integrity and low availability impact, mapped to CWE-20 (Improper Input Validation) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes).

The vulnerability has been fixed in ormar version 0.23.1. References point to specific code locations in the ormar GitHub repository, including the FastAPI quick start example and model construction logic in files like foreign_key.py, pydantic.py, model.py, and newbasemodel.py, confirming the root cause in the model's Pydantic integration. Security practitioners should upgrade to the patched version and review applications using ormar with FastAPI for exposure.

Details

CWE(s)
CWE-20CWE-915

Affected Products

collerek
ormar
≤ 0.23.1

CVEs Like This One

CVE-2026-26198Same product: Collerek Ormar
CVE-2025-27494Shared CWE-20
CVE-2025-30213Shared CWE-20
CVE-2026-2750Shared CWE-20
CVE-2025-40836Shared CWE-20
CVE-2025-59886Shared CWE-20
CVE-2025-31674Shared CWE-915
CVE-2026-41044Shared CWE-20
CVE-2026-33729Shared CWE-20
CVE-2025-1097Shared CWE-20

References