Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 72bd986ac1eb · 2026-03-29T15:46:02.000Z
GHSA-7xf9-4jfc-wgm4 GHSA-gwhv-j974-6fxm GHSA-qpfv-44f3-qqx6
diff --git a/advisories/github-reviewed/2026/03/GHSA-7xf9-4jfc-wgm4/GHSA-7xf9-4jfc-wgm4.json b/advisories/github-reviewed/2026/03/GHSA-7xf9-4jfc-wgm4/GHSA-7xf9-4jfc-wgm4.json
@@ -1,40 +1,73 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7xf9-4jfc-wgm4",
-  "modified": "2026-03-26T21:31:26Z",
+  "modified": "2026-03-29T15:45:17Z",
   "published": "2026-03-26T21:31:26Z",
   "aliases": [
     "CVE-2026-3121"
   ],
+  "summary": "Keycloak: manage-clients permission escalates to full realm admin access",
   "details": "A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-services"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.5.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3121"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/issues/46719"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/commit/79ab3110a257fb8d6f1a664c916687128094ed01"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2026-3121"
     },
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442277"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-266"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:45:17Z",
     "nvd_published_at": "2026-03-26T19:17:06Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-gwhv-j974-6fxm/GHSA-gwhv-j974-6fxm.json b/advisories/github-reviewed/2026/03/GHSA-gwhv-j974-6fxm/GHSA-gwhv-j974-6fxm.json
@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gwhv-j974-6fxm",
+  "modified": "2026-03-29T15:44:04Z",
+  "published": "2026-03-29T15:44:04Z",
+  "aliases": [
+    "CVE-2026-34220"
+  ],
+  "summary": "MikroORM is vulnerable to SQL Injection via specially crafted object",
+  "details": "## Summary\n\nMikroORM versions <= 6.6.9 and <= 7.0.5 are vulnerable to SQL injection when specially crafted objects are interpreted as raw SQL query fragments.\n\n## Impact\n\nIf user-controlled input is passed directly to MikroORM query construction APIs, an attacker may inject raw SQL fragments. This can lead to SQL injection depending on the database and query being executed.\n\n## Affected usage\n\nThe issue occurs when untrusted objects are passed to ORM write APIs such as:\n\n- `wrap(entity).assign(userInput)` followed by `em.flush()`\n- `em.nativeUpdate()`\n- `em.nativeInsert()`\n- `em.create()` followed by `em.flush()`\n\nApplications that validate input types or enforce strict schema validation before passing data to MikroORM are not affected.\n\n## Fix\n\nThe vulnerability was caused by duck-typed detection of internal ORM marker properties.\n\nThe fix replaces these checks with symbol-based markers that cannot be reproduced by user input.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@mikro-orm/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.6.10"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@mikro-orm/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0-dev.0"
+            },
+            {
+              "fixed": "7.0.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-gwhv-j974-6fxm"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mikro-orm/mikro-orm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:44:04Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-qpfv-44f3-qqx6/GHSA-qpfv-44f3-qqx6.json b/advisories/github-reviewed/2026/03/GHSA-qpfv-44f3-qqx6/GHSA-qpfv-44f3-qqx6.json
@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qpfv-44f3-qqx6",
+  "modified": "2026-03-29T15:44:16Z",
+  "published": "2026-03-29T15:44:16Z",
+  "aliases": [
+    "CVE-2026-34221"
+  ],
+  "summary": "MikroORM has Prototype Pollution in Utils.merge",
+  "details": "A prototype pollution vulnerability exists in the `Utils.merge` helper used internally by MikroORM when merging object structures.\n\nThe function did not prevent special keys such as `__proto__`, `constructor`, or `prototype`, allowing attacker-controlled input to modify the JavaScript object prototype when merged.\n\nExploitation requires application code to pass untrusted user input into ORM operations that merge object structures, such as entity property assignment or query condition construction.\n\nPrototype pollution may lead to denial of service or unexpected application behavior. In certain scenarios, polluted properties may influence query construction and potentially result in SQL injection depending on application code.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@mikro-orm/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.6.10"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@mikro-orm/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0-dev.0"
+            },
+            {
+              "fixed": "7.0.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mikro-orm/mikro-orm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-29T15:44:16Z",
+    "nvd_published_at": null
+  }
+}
