Drizzle ORM Security Flaw: SQL Injection Risk in `escapeName()` Function (CVE-2026-39356)

A critical security vulnerability has been disclosed in the popular Drizzle ORM library, exposing applications to potential SQL injection attacks. The flaw, tracked as CVE-2026-39356, resides in the dialect-specific `escapeName()` implementations, which failed to properly escape embedded identifier delimiters within quoted SQL identifiers. This weakness could allow attackers to manipulate database queries, leading to unauthorized data access or modification.

The vulnerability affects multiple versions of the `drizzle-orm` package. The security advisory, published by the Drizzle team, indicates that the issue stems from improper handling of quoted identifiers across different SQL dialects. The flaw was identified and patched in version 0.45.2, prompting an automated dependency update request (a "Renovate" PR) to upgrade from the vulnerable version 0.29.3. The update carries high merge confidence, signaling a critical and necessary security patch.

This disclosure places immediate pressure on development teams and organizations relying on Drizzle ORM to audit their dependencies and apply the update. The presence of a CVE and a formal GitHub Security Advisory underscores the severity. For projects handling sensitive data, the risk of exploitation is significant, making this a high-priority operational security task. The incident highlights the persistent threat of supply chain vulnerabilities in modern software development, where a single library flaw can cascade across countless applications.