CVE-2026-27953 ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor

ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...

CVE-2026-27953 ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor

ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...

EUVD-2026-13198

ormar Pydantic Validation Bypass via pkonly and excluded Kwargs Injection in Model Constructor...

GHSA-F964-WHRQ-44H8 ormar Pydantic Validation Bypass via __pk_only__ and __excluded__ Kwargs Injection in Model Constructor

Summary A Pydantic validation bypass in ormar's model constructor allows any unauthenticated user to skip all field validation — type checks, constraints, @fieldvalidator/@modelvalidator decorators, choices enforcement, and required-field checks — by injecting "pkonly": true into a JSON request...

py-ormar -- vulnerabilities

https://github.com/ormar-orm/ormar/security/advisories reports: SQL Injection in aggregate functions min and max Pydantic Validation Bypass via pkonly and excluded Kwargs Injection in Model Constructor...