MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL.
The vulnerability is reachable when application code passes an attacker-influenced string to any of the following documented APIs:
schema option — em.fork({ schema }), qb.withSchema(name), wrap(entity).setSchema(name), em.create(Cls, data, { schema }). The schema name is concatenated into the SQL identifier and never had its dialect quote character escaped.em.find / qb.where JSON-property filters — em.find(Entity, { jsonCol: { [userKey]: value } }). The user-supplied JSON sub-keys cannot be validated against any metadata (JSON columns are schemaless by design), and were spliced into the SQL string literal of the JSON path expression without escaping.qb.where / qb.orderBy / qb.groupBy / qb.having / qb.select keys — keys containing . or :: bypassed the structured-where metadata validator in CriteriaNode, then flowed through the same broken quoteIdentifier. Apps that forwarded raw filter keys from request input were already broken on authorization grounds (e.g. { isAdmin: true }); the SQL injection here is a defence-in-depth failure on top of that.The vulnerability does not affect documented escape-hatch APIs (raw(), the sql tagged template, qb.raw(), em.raw()) — those are documented as accepting raw SQL and are the application's responsibility to sanitize.
All SQL dialects supported by MikroORM. The identifier-quoting bug exists in every dialect's quoteIdentifier (the dialect's own quote character — backtick, double quote, or right bracket — was not doubled when embedded in the identifier). The JSON-path bug exists in all dialects' getSearchJsonPropertyKey/quoteJsonKey.
MongoDB driver is not affected (no SQL).
Patches:
* Identifier quoting: #7653 (master) / #7654 (6.x)
* JSON-path keys: #7656 (master) / #7657 (6.x)
If users cannot upgrade immediately:
em.fork({ schema }) / wrap().setSchema() / qb.withSchema(): validate the schema name against a strict allowlist (e.g. ^[A-Za-z_][\w$]*$) before passing it to MikroORM.where / orderBy filters from request input: validate every key against the entity's known properties before constructing the filter; do not pass keys containing . or :: from user input.^[a-zA-Z_][\w]*$) before passing it to em.find.Reported and patched by Martin Adámek (project maintainer) during an internal security review.
| Score | Percentile |
|---|---|
| 0.78% | 74.05% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.6 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-cfw5-68c4-ffqp ↗ |
| CVE | CVE-2026-44680 ↗ |
| CWE id | Name |
|---|---|
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | @mikro-orm/sql | <= 7.0.13 | 7.0.14 | — |
| npm | @mikro-orm/knex | <= 6.6.13 | 6.6.14 | — |