Vulnerability-Lookup

CVE-2026-22814 (GCVE-0-2026-22814)

Vulnerability from cvelistv5 – Published: 2026-01-13 19:42 – Updated: 2026-01-13 19:42

Title

Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State

Summary

@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.

Severity ?

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Assigner

GitHub_M

References

URL

Tags

https://github.com/adonisjs/lucid/security/adviso…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	adonisjs	lucid	Affected: < 21.8.2 Affected: >= 22.0.0-next.0, < 22.0.0-next.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "lucid",
          "vendor": "adonisjs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 21.8.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-next.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-13T19:42:14.346Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f"
        }
      ],
      "source": {
        "advisory": "GHSA-g5gc-h5hp-555f",
        "discovery": "UNKNOWN"
      },
      "title": "Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22814",
    "datePublished": "2026-01-13T19:42:14.346Z",
    "dateReserved": "2026-01-09T22:50:10.288Z",
    "dateUpdated": "2026-01-13T19:42:14.346Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22814\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-13T20:16:11.427\",\"lastModified\":\"2026-01-13T20:16:11.427\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-915\"}]}],\"references\":[{\"url\":\"https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-22814

Vulnerability from fkie_nvd - Published: 2026-01-13 20:16 - Updated: 2026-01-13 20:16

Severity ?

8.2 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6."
    }
  ],
  "id": "CVE-2026-22814",
  "lastModified": "2026-01-13T20:16:11.427",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-13T20:16:11.427",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-915"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-G5GC-H5HP-555F

Vulnerability from github – Published: 2026-01-13 20:37 – Updated: 2026-01-13 21:41

Summary

Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State

Details

Summary

Description A Mass Assignment (CWE-915) vulnerability in AdonisJS Lucid may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.

Details

A vulnerability in the BaseModelImpl class of @adonisjs/lucid may allow an attacker to overwrite internal class properties (such as $isPersisted, $attributes, or $isDeleted) when passing plain objects to model assignment methods.

The library relies on a this.hasOwnProperty(key) check to validate assignment targets. However, because internal ORM state properties are initialized as instance properties, they pass this check. Consequently, if an attacker can influence specific keys (like $isPersisted) into the payload passed to merge() or $consumeAdapterResult(), they can hijack the ORM's internal logic.

The exposed internal properties include: - $attributes: The raw storage for model data. - $isPersisted: Controls whether save() performs an INSERT or an UPDATE. - $original: Stores the original state of the record used to calculate changes. - $isDeleted: Prevents operations on deleted models.

This issue propagates to the entire write surface of the library, including: - Instance methods fill and merge. - Single record creation methods create, createQuietly, firstOrNew, and firstOrCreate. - Conditional updates via updateOrCreate. - Bulk operations createMany, createManyQuietly, fetchOrNewUpMany, fetchOrCreateMany, and updateOrCreateMany.

Impact

Applications are vulnerable if they pass unvalidated data or validated data that retains unknown properties to the model. This occurs because internal keys exist as instance properties, causing them to pass the hasOwnProperty check and bypass Lucid's default rejection of unknown properties.

Applications utilizing strict allow lists for input validation that discard unknown properties are not affected.

For example, if a developer passes request.all(), request.except() or a schema with allowUnknownProperties to Model.create(), the ORM's internal logic can be hijacked. Because the Model.create() > save() decision is based on $isPersisted, and merge() can assign to the own-property $isPersisted, an attacker who can inject "$isPersisted": true into the payload can force save() to take the UPDATE branch rather than the INSERT branch, while setting $attributes can bypass validators or field restrictions.

Patches

This issue has been patched in @adonisjs/lucid version 21.8.2 and 22.0.0-next.6. Please upgrade to this version or later.

Developers can mitigate this issue by strictly validating model inputs with an allow list that drops unknown keys if possible.

Severity ?

8.2 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 21.8.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@adonisjs/lucid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "21.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@adonisjs/lucid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0-next.0"
            },
            {
              "fixed": "22.0.0-next.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T20:37:09Z",
    "nvd_published_at": "2026-01-13T20:16:11Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n**Description**\nA Mass Assignment (CWE-915) vulnerability in AdonisJS Lucid may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.\n\n### Details\nA vulnerability in the `BaseModelImpl` class of `@adonisjs/lucid` may allow an attacker to overwrite internal class properties (such as `$isPersisted`, `$attributes`, or `$isDeleted`) when passing plain objects to model assignment methods.\n\nThe library relies on a `this.hasOwnProperty(key)` check to validate assignment targets. However, because internal ORM state properties are initialized as instance properties, they pass this check. Consequently, if an attacker can influence specific keys (like `$isPersisted`) into the payload passed to `merge()` or `$consumeAdapterResult()`, they can hijack the ORM\u0027s internal logic.\n\nThe exposed internal properties include:\n- `$attributes`: The raw storage for model data.\n- `$isPersisted`: Controls whether\u00a0`save()`\u00a0performs an\u00a0`INSERT`\u00a0or an\u00a0`UPDATE`.\n- `$original`: Stores the original state of the record used to calculate\u00a0changes.\n- `$isDeleted`: Prevents operations on deleted models.\n\nThis issue propagates to the entire write surface of the library, including:\n- Instance methods `fill` and  `merge`.\n- Single record creation methods `create`, `createQuietly`, `firstOrNew`, and `firstOrCreate`.\n- Conditional updates via `updateOrCreate`.\n- Bulk operations `createMany`, `createManyQuietly`, `fetchOrNewUpMany`, `fetchOrCreateMany`, and `updateOrCreateMany`.\n\n### Impact\nApplications are vulnerable if they pass unvalidated data or validated data that retains unknown properties to the model. This occurs because internal keys exist as instance properties, causing them to pass the `hasOwnProperty` check and bypass Lucid\u0027s default rejection of unknown properties.\n\nApplications utilizing strict allow lists for input validation that discard unknown properties are not affected.\n\nFor example, if a developer passes\u00a0`request.all()`, `request.except()` or a schema with `allowUnknownProperties` to\u00a0`Model.create()`, the ORM\u0027s internal logic can be hijacked. Because the\u00a0`Model.create()` \u003e `save()`\u00a0decision is based on\u00a0`$isPersisted`, and\u00a0`merge()`\u00a0can assign to the own-property\u00a0`$isPersisted`, an attacker who can inject\u00a0`\"$isPersisted\": true`\u00a0into the payload can force\u00a0`save()`\u00a0to take the UPDATE branch rather than the INSERT branch, while setting `$attributes` can bypass validators or field restrictions.\n\n\n### Patches\nThis issue has been patched in @adonisjs/lucid version `21.8.2` and `22.0.0-next.6`. Please upgrade to this version or later.\n\nDevelopers can mitigate this issue by strictly validating model inputs with an allow list that drops unknown keys if possible.",
  "id": "GHSA-g5gc-h5hp-555f",
  "modified": "2026-01-13T21:41:38Z",
  "published": "2026-01-13T20:37:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22814"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/adonisjs/lucid"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-22814 (GCVE-0-2026-22814)

FKIE_CVE-2026-22814

GHSA-G5GC-H5HP-555F

Summary

Details

Impact

Patches

Tags

Sightings

Nomenclature