SCA: security update for ormar (GHSA-f964-whrq-44h8)

critical Tenable Cloud Security Plugin ID 439104

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation
bypass through the model constructor, allowing any unauthenticated user to skip all field validation by
injecting "__pk_only__": true into a JSON request body. By injecting "__pk_only__": true into a JSON
request body, an unauthenticated attacker can skip all field validation and persist unvalidated data
directly to the database. A secondary __excluded__ parameter injection uses the same pattern to
selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's
canonical FastAPI integration pattern recommended in its official documentation, enabling privilege
escalation, data integrity violations, and business logic bypass in any application using ormar.Model
directly as a request body parameter. This issue has been fixed in version 0.23.1. (CVE-2026-27953)

Solution

Update the ormar library and its related packages to version 0.23.1 or later.

See Also

https://github.com/advisories/GHSA-f964-whrq-44h8

Plugin Details

Severity: Critical

ID: 439104

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 3/21/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-27953

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/19/2026

Vulnerability Publication Date: 3/19/2026

Reference Information

CVE: CVE-2026-27953

cwe: CWE-20