Improper SQL Identifier Escaping in Drizzle ORM
CVE-2026-39356

7.5HIGH

Key Information:

Vendor: Drizzle-team
Status: Drizzle-orm
Vendor: CVE Published:; 7 April 2026

🔔 Create Drizzle-team Vulnerability Alert

What is CVE-2026-39356?

Drizzle ORM, a modern TypeScript Object-Relational Mapper, is susceptible to improper handling of SQL identifiers due to insufficient escaping mechanisms in its escapeName() functionality across versions prior to 0.45.2 and 1.0.0-beta.20. The vulnerability arises when attacker-controlled input is sent to functions that create SQL identifiers or aliases, allowing an attacker to manipulate the input and potentially inject malicious SQL code. This flaw underscores the importance of input validation and secure coding practices in database interactions.

Affected Version(s)

drizzle-orm < 0.45.2 < 0.45.2

drizzle-orm >= 1.0.0-beta.2, < 1.0.0-beta.20 < 1.0.0-beta.2, 1.0.0-beta.20

References

https://github.com/drizzle-team/drizzle-orm/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39356 Data

JSON