{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22814", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.288Z", "datePublished": "2026-01-13T19:42:14.346Z", "dateUpdated": "2026-01-14T17:26:12.012Z"}, "containers": {"cna": {"title": "Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State", "problemTypes": [{"descriptions": [{"cweId": "CWE-915", "lang": "en", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f"}], "affected": [{"vendor": "adonisjs", "product": "lucid", "versions": [{"version": "< 21.8.2", "status": "affected"}, {"version": ">= 22.0.0-next.0, < 22.0.0-next.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-13T19:42:14.346Z"}, "descriptions": [{"lang": "en", "value": "@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6."}], "source": {"advisory": "GHSA-g5gc-h5hp-555f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T17:26:06.187349Z", "id": "CVE-2026-22814", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T17:26:12.012Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State", "source": {"advisory": "GHSA-g5gc-h5hp-555f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "adonisjs", "product": "lucid", "versions": [{"status": "affected", "version": "< 21.8.2"}, {"status": "affected", "version": ">= 22.0.0-next.0, < 22.0.0-next.6"}]}], "references": [{"url": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f", "name": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-13T19:42:14.346Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22814", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T17:26:06.187349Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-01-14T17:26:09.379Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-22814", "state": "PUBLISHED", "dateUpdated": "2026-01-13T19:42:14.346Z", "dateReserved": "2026-01-09T22:50:10.288Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-13T19:42:14.346Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6."}, {"lang": "es", "value": "@adonisjs/lucid es un ORM SQL para AdonisJS construido sobre Knex. Antes de 21.8.2 y 22.0.0-next.6, existe una vulnerabilidad de Asignaci\u00f3n Masiva en AdonisJS Lucid que puede permitir a un atacante remoto que puede influir en los datos que se pasan a las asignaciones del modelo Lucid sobrescribir el estado interno del ORM. Esto puede conducir a derivaciones de l\u00f3gica y modificaci\u00f3n no autorizada de registros dentro de una tabla o modelo. Esto afecta a @adonisjs/lucid hasta la versi\u00f3n 21.8.1 y las versiones pre-lanzamiento 22.x anteriores a 22.0.0-next.6. Esto ha sido parcheado en las versiones 21.8.2 y 22.0.0-next.6 de @adonisjs/lucid."}], "id": "CVE-2026-22814", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-13T20:16:11.427", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:32:48.993804+00:00", "value": {"mitigation_remediation": ["Upgrade to @adonisjs/lucid\u202f21.8.2 or later, including 22.0.0\u2011next.6 where the issue is fixed.", "Sanitize or validate all input before passing it to model assignments to prevent unintended data from reaching internal ORM state.", "Implement attribute whitelisting or use guarded fields to restrict mass assignment only to intended properties."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized record modification and logic bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the AdonisJS Lucid SQL ORM, versions through 21.8.1 and all 22.x pre\u2011release releases prior to 22.0.0\u2011next.6 . Users of these versions are at risk.", "description_and_impact": "Mass Assignment allows a remote attacker who can influence data passed into AdonisJS Lucid model assignments to overwrite the internal ORM state. This flaw permits logic bypasses and unauthorized record modifications within a table or model. The weakness is classified as CWE\u2011915, reflecting improper data handling leading to loss of control over program flow.", "risk_and_exploitability": "The CVSS score of 8.2 denotes a high severity risk, yet the EPSS score is below 1\u202f%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring an attacker to supply crafted data that is subsequently assigned to a Lucid model \u2013 a scenario that is common when user input is bound to models without proper safeguards."}}}}, "created": "2026-01-14T11:08:02.543803+00:00", "updated": "2026-04-18T06:45:23.956301+00:00", "vendors": ["adonisjs", "adonisjs$PRODUCT$lucid"]}