CVE-2026-22814
📋 TL;DR
A mass assignment vulnerability in @adonisjs/lucid allows remote attackers who can influence data passed to Lucid model assignments to overwrite internal ORM state. This can lead to logic bypasses and unauthorized record modifications in database tables. Affects all applications using vulnerable versions of @adonisjs/lucid.
💻 Affected Systems
- @adonisjs/lucid
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing unauthorized creation, modification, or deletion of any records accessible through vulnerable models, potentially leading to data destruction or privilege escalation.
Likely Case
Unauthorized modification of database records through API endpoints or form submissions that use mass assignment, leading to data integrity issues and potential business logic bypass.
If Mitigated
Limited impact if proper input validation and allow/deny lists are implemented for model attributes, restricting which fields can be mass-assigned.
🎯 Exploit Status
Exploitation requires ability to influence data passed to model assignments, typically through API endpoints or form submissions. No authentication bypass inherent to the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.8.2 and 22.0.0-next.6
Vendor Advisory: https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f
Restart Required: Yes
Instructions:
1. Update @adonisjs/lucid to version 21.8.2 or 22.0.0-next.6 using npm or yarn. 2. Run 'npm update @adonisjs/lucid' or 'yarn upgrade @adonisjs/lucid'. 3. Restart your application server.
🔧 Temporary Workarounds
Implement Mass Assignment Protection
allManually implement allow/deny lists for model attributes to restrict which fields can be mass-assigned.
// In your Lucid model, add: static fillable = ['allowed_field1', 'allowed_field2']; or static guarded = ['protected_field1', 'protected_field2'];
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all API endpoints and form submissions
- Use explicit field assignment instead of mass assignment in all model operations
🔍 How to Verify
Check if Vulnerable:
Check package.json for @adonisjs/lucid version. If version is <=21.8.1 or between 22.0.0-next.1 and 22.0.0-next.5, you are vulnerable.Check Version:
npm list @adonisjs/lucid or check package.jsonVerify Fix Applied:
Verify @adonisjs/lucid version is 21.8.2 or 22.0.0-next.6 or higher in package.json and node_modules.📡 Detection & Monitoring
Log Indicators:
- Unusual database operations with unexpected field modifications
- API requests attempting to set protected model fields
Network Indicators:
- HTTP requests with unexpected parameters targeting model endpoints
SIEM Query:
source="web_logs" AND (uri_path="/api/*" OR uri_path="/models/*") AND (params CONTAINS "__proto__" OR params CONTAINS "constructor" OR unusual_field_patterns)