HIGHCVE-2026-39356Published 2026-04-07Modified 2026-04-08CNA GitHub_M

CVE-2026-39356: SQL Injection via escapeName() in all Drizzle ORM SQL dialects

Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

drizzle-team / drizzle-orm
< 0.45.2 · >= 1.0.0-beta.2, < 1.0.0-beta.20

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

https://github.com/drizzle-team/drizzle-orm/security/advisories/GHSA-gpj5-g38j-94v9

Metrics