Cyber Resilience

CVE-2026-39356

High

Published: 07 April 2026

Published
07 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 4.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39356 is a high-severity SQL Injection (CWE-89) vulnerability in Drizzle Drizzle. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-39356 affects Drizzle ORM, a modern TypeScript ORM, in versions prior to 0.45.2 and 1.0.0-beta.20. The vulnerability stems from improper escaping of quoted SQL identifiers in dialect-specific escapeName() implementations, where embedded identifier delimiters were not escaped before wrapping the identifier in quotes or backticks. This flaw enables SQL injection when applications pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier() or .as().

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity, requiring no privileges or user interaction. Remote attackers can exploit it by supplying malicious input to affected APIs, allowing them to prematurely terminate the quoted identifier and inject arbitrary SQL, potentially leading to unauthorized data disclosure.

The GitHub security advisory for Drizzle ORM states that the issue is fixed in versions 0.45.2 and 1.0.0-beta.20, recommending that users upgrade to these patched releases to mitigate the vulnerability.

EU & UK References

Vulnerability details

Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or…

more

backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The SQL injection vulnerability in the Drizzle ORM directly enables remote exploitation of public-facing applications via unsanitized input to identifier/alias APIs, matching T1190 for initial access and data disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

drizzle
drizzle
1.0.0 · ≤ 0.45.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly addressing this SQL injection vulnerability by mandating upgrades to patched Drizzle ORM versions 0.45.2 or 1.0.0-beta.20.

prevent

SI-10 mandates information input validation and error handling, preventing SQL injection by ensuring attacker-controlled inputs to Drizzle APIs like sql.identifier() or .as() are validated before processing.

detect

RA-5 requires vulnerability scanning to identify affected Drizzle ORM versions in the system, enabling detection and prioritization of remediation for this specific flaw.

References