Critical SQL injection fixed in MikroORM query construction

TL;DR — A Critical SQL injection in MikroORM can occur when attacker-controlled objects are misclassified as raw SQL fragments, potentially turning normal ORM writes into SQL injection.

What happened

MikroORM is a TypeScript ORM for Node.js that provides a Data Mapper / Unit of Work style API for building and executing database queries.

CVE-2026-34220 reports a Critical SQL injection risk where specially crafted objects can be interpreted as raw SQL query fragments. If untrusted input is passed into MikroORM query construction / write APIs in a way that reaches this object handling path, an attacker may be able to inject SQL depending on the database backend and the specific query shape.

The CVE record reports CVSS v4.0 base score 9.3 (Critical). SQLi in ORM layers is a high-impact, high-blast-radius failure mode because it often sits behind “safe-by-default” developer ergonomics, and can be reachable through common object assignment/merge patterns.

Who is impacted

• Projects using mikro-orm:
  • < 6.6.10, or
  • >= 7.0.0-rc.0, < 7.0.6.
• Highest risk: applications that pass user-controlled objects into ORM write/query construction flows without strict schema validation.

What to do now

• Follow vendor remediation guidance and apply a patched release.

  • "This issue has been patched in versions 6.6.10 and 7.0.6."

• Inventory where MikroORM is deployed (services, jobs, CLIs) and identify the installed versions from lockfiles and built artifacts.
• Audit input boundaries:
  • Identify code paths where request/tenant/user-controlled objects are passed into ORM assignment/merge or “native” query APIs.
  • Add strict schema validation (and reject unexpected object shapes/keys) before data reaches persistence-layer calls.
• If compromise is suspected, use your existing incident response playbooks for potential SQL injection exposure: review application logs for anomalous query patterns and rotate credentials accessible to impacted services.