Cyber Resilience

CVE-2026-34221

High

Published: 31 March 2026

Published
31 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34221 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Mikro-Orm Mikroorm. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-34221 is a prototype pollution vulnerability in MikroORM, a TypeScript ORM for Node.js based on Data Mapper, Unit of Work, and Identity Map patterns. The flaw exists in the Utils.merge helper function used internally for merging object structures, which does not block special keys such as __proto__, constructor, or prototype. This allows attacker-controlled input to modify the JavaScript object prototype during merging. The vulnerability affects MikroORM versions prior to 6.6.10 and 7.0.6.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. By supplying crafted input to the merge function, they can pollute the global object prototype, enabling arbitrary code execution or denial-of-service conditions. The issue carries a CVSS 3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is classified under CWE-1321.

The vulnerability has been addressed in MikroORM versions 6.6.10 and 7.0.6. Additional details on the patch and remediation are available in the GitHub security advisory at https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6.

EU & UK References

Vulnerability details

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object…

more

structures. The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploitation of a Node.js ORM library vulnerability in likely public-facing web applications directly enables T1190: Exploit Public-Facing Application, potentially leading to RCE or DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34220Same product: Mikro-Orm Mikroorm
CVE-2026-29063Shared CWE-1321
CVE-2026-24888Shared CWE-1321
CVE-2026-28794Shared CWE-1321
CVE-2026-45302Shared CWE-1321
CVE-2026-8657Shared CWE-1321
CVE-2025-61140Shared CWE-1321
CVE-2024-57077Shared CWE-1321
CVE-2026-35209Shared CWE-1321
CVE-2026-33994Shared CWE-1321

Affected Assets

mikro-orm
mikroorm
≤ 6.6.10 · 7.0.0 — 7.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and patching of the prototype pollution flaw in MikroORM versions prior to 6.6.10 and 7.0.6 to prevent exploitation.

prevent

Requires validation of attacker-controlled inputs to block special keys like __proto__, constructor, or prototype that trigger pollution during object merging.

detect

Facilitates vulnerability scanning to identify systems running vulnerable MikroORM versions exposed to this prototype pollution issue.

References