CVE-2026-34221
Published: 31 March 2026
Summary
CVE-2026-34221 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Mikro-Orm Mikroorm. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and patching of the prototype pollution flaw in MikroORM versions prior to 6.6.10 and 7.0.6 to prevent exploitation.
Requires validation of attacker-controlled inputs to block special keys like __proto__, constructor, or prototype that trigger pollution during object merging.
Facilitates vulnerability scanning to identify systems running vulnerable MikroORM versions exposed to this prototype pollution issue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a Node.js ORM library vulnerability in likely public-facing web applications directly enables T1190: Exploit Public-Facing Application, potentially leading to RCE or DoS.
NVD Description
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object…
more
structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.
Deeper analysisAI
CVE-2026-34221 is a prototype pollution vulnerability in MikroORM, a TypeScript ORM for Node.js based on Data Mapper, Unit of Work, and Identity Map patterns. The flaw exists in the Utils.merge helper function used internally for merging object structures, which does not block special keys such as __proto__, constructor, or prototype. This allows attacker-controlled input to modify the JavaScript object prototype during merging. The vulnerability affects MikroORM versions prior to 6.6.10 and 7.0.6.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. By supplying crafted input to the merge function, they can pollute the global object prototype, enabling arbitrary code execution or denial-of-service conditions. The issue carries a CVSS 3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is classified under CWE-1321.
The vulnerability has been addressed in MikroORM versions 6.6.10 and 7.0.6. Additional details on the patch and remediation are available in the GitHub security advisory at https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6.
Details
- CWE(s)