CVE-2026-27953: ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor
(updated )
A Pydantic validation bypass in ormar’s model constructor allows any unauthenticated user to skip all field validation — type checks, constraints, @field_validator/@model_validator decorators, choices enforcement, and required-field checks — by injecting "__pk_only__": true into a JSON request body. The unvalidated data is subsequently persisted to the database. This affects the canonical usage pattern recommended in ormar’s official documentation and examples.
A secondary __excluded__ parameter injection uses the same design pattern to selectively nullify arbitrary model fields during construction.
References
- github.com/advisories/GHSA-f964-whrq-44h8
- github.com/ormar-orm/ormar
- github.com/ormar-orm/ormar/blob/master/examples/fastapi_quick_start.py
- github.com/ormar-orm/ormar/blob/master/ormar/fields/foreign_key.py
- github.com/ormar-orm/ormar/blob/master/ormar/models/helpers/pydantic.py
- github.com/ormar-orm/ormar/blob/master/ormar/models/model.py
- github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py
- github.com/ormar-orm/ormar/blob/master/ormar/models/newbasemodel.py
- github.com/ormar-orm/ormar/commit/7f22aa21a7614b993970345b392dabb0ccde0ab3
- github.com/ormar-orm/ormar/releases/tag/0.23.1
- github.com/ormar-orm/ormar/security/advisories/GHSA-f964-whrq-44h8
- nvd.nist.gov/vuln/detail/CVE-2026-27953
Code Behaviors & Features
Detect and mitigate CVE-2026-27953 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →