HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

MikroORM 7.0.13 SQL Injection (CVE‑2026‑44680) Allows Arbitrary Database Access in Node.js Apps

A critical SQL‑injection flaw (CVE‑2026‑44680) in MikroORM versions up to 7.0.13 lets attackers inject malicious JSON‑path keys and run arbitrary SQL, risking data exposure for SaaS and cloud providers that embed the library.

LiveThreat™ Intelligence · 📅 May 30, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

MikroORM 7.0.13 SQL Injection Enables Arbitrary Database Access in Node.js Applications

What Happened — A newly disclosed SQL‑injection flaw (CVE‑2026‑44680) in MikroORM 7.0.13 and earlier allows an attacker to inject malicious JSON‑path keys, break out of the JSON context, and execute arbitrary SQL statements. Public exploit code shows data extraction via a crafted POST to an API endpoint.

Why It Matters for TPRM

  • SaaS and cloud‑native services that embed MikroORM can unintentionally expose customer data.
  • The vulnerability propagates through the software supply chain, affecting any downstream vendor that re‑uses the library.
  • Regulatory fallout is possible if personal or financial records are exfiltrated.

Who Is Affected — Technology‑SaaS firms, cloud‑infrastructure providers, FinTech platforms, and any organization that outsources development to vendors using the vulnerable ORM versions.

Recommended Actions

  • Inventory all third‑party applications and services that depend on @mikro-orm/knex ≤ 6.6.13 or @mikro-orm/sql ≤ 7.0.13.
  • Upgrade to the patched releases (≥ 7.0.14 / ≥ 6.6.14) or apply the vendor’s mitigation guidance.
  • Conduct targeted code reviews of any jsonColumn queries that accept user‑controlled keys.
  • Update your TPRM register to reflect remediation status and require proof of patch from affected vendors.

Technical Notes — The flaw originates from improper escaping of runtime‑controlled JSON path keys when MikroORM builds JSON_EXTRACT queries. An attacker can craft a payload such as $.x' ) OR 1=1 UNION SELECT … -- to execute UNION SELECT statements and retrieve arbitrary database information. The issue affects both Docker‑based and Debian Bookworm deployments running Node.js 18 with MariaDB 10.x. No prior CVE existed; the advisory is linked to CVE‑2026‑44680. Source: https://www.exploit-db.com/exploits/52600

📰 Original Source
https://www.exploit-db.com/exploits/52600

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →