CVE-2026-39356
Published: 07 April 2026
Summary
CVE-2026-39356 is a high-severity SQL Injection (CWE-89) vulnerability in Drizzle Drizzle. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-39356 affects Drizzle ORM, a modern TypeScript ORM, in versions prior to 0.45.2 and 1.0.0-beta.20. The vulnerability stems from improper escaping of quoted SQL identifiers in dialect-specific escapeName() implementations, where embedded identifier delimiters were not escaped before wrapping the identifier in quotes or backticks. This flaw enables SQL injection when applications pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier() or .as().
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity, requiring no privileges or user interaction. Remote attackers can exploit it by supplying malicious input to affected APIs, allowing them to prematurely terminate the quoted identifier and inject arbitrary SQL, potentially leading to unauthorized data disclosure.
The GitHub security advisory for Drizzle ORM states that the issue is fixed in versions 0.45.2 and 1.0.0-beta.20, recommending that users upgrade to these patched releases to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19909
Vulnerability details
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or…
more
backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in the Drizzle ORM directly enables remote exploitation of public-facing applications via unsanitized input to identifier/alias APIs, matching T1190 for initial access and data disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of system flaws, directly addressing this SQL injection vulnerability by mandating upgrades to patched Drizzle ORM versions 0.45.2 or 1.0.0-beta.20.
SI-10 mandates information input validation and error handling, preventing SQL injection by ensuring attacker-controlled inputs to Drizzle APIs like sql.identifier() or .as() are validated before processing.
RA-5 requires vulnerability scanning to identify affected Drizzle ORM versions in the system, enabling detection and prioritization of remediation for this specific flaw.