MikroORM 7.0.13 SQL Injection Enables Arbitrary Database Access in Node.js Applications
What Happened — A newly disclosed SQL‑injection flaw (CVE‑2026‑44680) in MikroORM 7.0.13 and earlier allows an attacker to inject malicious JSON‑path keys, break out of the JSON context, and execute arbitrary SQL statements. Public exploit code shows data extraction via a crafted POST to an API endpoint.
Why It Matters for TPRM —
- SaaS and cloud‑native services that embed MikroORM can unintentionally expose customer data.
- The vulnerability propagates through the software supply chain, affecting any downstream vendor that re‑uses the library.
- Regulatory fallout is possible if personal or financial records are exfiltrated.
Who Is Affected — Technology‑SaaS firms, cloud‑infrastructure providers, FinTech platforms, and any organization that outsources development to vendors using the vulnerable ORM versions.
Recommended Actions —
- Inventory all third‑party applications and services that depend on
@mikro-orm/knex≤ 6.6.13 or@mikro-orm/sql≤ 7.0.13. - Upgrade to the patched releases (≥ 7.0.14 / ≥ 6.6.14) or apply the vendor’s mitigation guidance.
- Conduct targeted code reviews of any
jsonColumnqueries that accept user‑controlled keys. - Update your TPRM register to reflect remediation status and require proof of patch from affected vendors.
Technical Notes — The flaw originates from improper escaping of runtime‑controlled JSON path keys when MikroORM builds JSON_EXTRACT queries. An attacker can craft a payload such as $.x' ) OR 1=1 UNION SELECT … -- to execute UNION SELECT statements and retrieve arbitrary database information. The issue affects both Docker‑based and Debian Bookworm deployments running Node.js 18 with MariaDB 10.x. No prior CVE existed; the advisory is linked to CVE‑2026‑44680. Source: https://www.exploit-db.com/exploits/52600