Fix Enum field by-name lookup to only return actual members (#2902)

bysiber · deckar01 · sloria · web-flow · commit 024b5d09e9f0 · 2026-03-25T22:30:15.000Z
* Fix Enum field by-name lookup to only return actual members

Use dict-style access (self.enum[val]) instead of getattr(self.enum, val)
for by-name deserialization. getattr returns any attribute of the Enum
class, not just members. For example, passing "mro" or "__class__" would
return built-in methods/attributes instead of raising a validation error.

The enum item access operator [] only looks up actual enum members,
so non-member attribute names now correctly raise a validation error.

* Add test for Enum field rejecting non-member attributes by name

* Update changelog

---------

Co-authored-by: Jared Deckard &lt;jared@shademaps.com&gt;
Co-authored-by: Steven Loria &lt;git@stevenloria.com&gt;
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -14,7 +14,8 @@ Bug fixes:
   Thanks: user:`T90REAL` for the report and :user:`rstar327` for the PR.
 - Fix behavior when passing a dot-delited attribute name to ``partial`` for a key with ``data_key`` set (:pr:`2903`).
   Thanks :user:`bysiber` for the PR.
-
+- Fix Enum field by-name lookup to only return actual members (:pr:`2902`).
+  Thanks :user:`bysiber` for the PR.
 
 4.2.2 (2026-02-04)
 ------------------
diff --git a/src/marshmallow/fields.py b/src/marshmallow/fields.py
@@ -1947,9 +1947,10 @@ def _deserialize(self, value, attr, data, **kwargs) -> _EnumT:
             except ValueError as error:
                 raise self.make_error("unknown", choices=self.choices_text) from error
         try:
-            return getattr(self.enum, val)
-        except AttributeError as error:
+            ret = self.enum[val]
+        except KeyError as error:
             raise self.make_error("unknown", choices=self.choices_text) from error
+        return ret
 
 
 class Method(Field):
diff --git a/tests/test_deserialization.py b/tests/test_deserialization.py
@@ -1197,6 +1197,14 @@ def test_enum_field_by_symbol_invalid_value(self):
         ):
             field.deserialize("dummy")
 
+    @pytest.mark.parametrize("non_member", ["mro", "__class__", "__members__"])
+    def test_enum_field_by_symbol_rejects_non_member_attributes(self, non_member):
+        field = fields.Enum(GenderEnum)
+        with pytest.raises(
+            ValidationError, match="Must be one of: male, female, non_binary."
+        ):
+            field.deserialize(non_member)
+
     def test_enum_field_by_symbol_not_string(self):
         field = fields.Enum(GenderEnum)
         with pytest.raises(ValidationError, match="Not a valid string."):
