CVE-2026-33503
SQL Injection in Ory Kratos ListCourierMessages Admin API
Publication date: 2026-03-26
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ory | kratos | to 26.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33503 is a high-severity SQL injection vulnerability in the ListCourierMessages Admin API of Ory Kratos, an identity and user management system. The vulnerability is caused by flaws in the API's pagination implementation, where pagination tokens are encrypted using a secret configured in the `secrets.pagination` setting.
If an attacker knows this secret, they can craft malicious pagination tokens that lead to SQL injection attacks. Additionally, if the `secrets.pagination` configuration is not set, Ory Kratos uses a publicly known default secret, allowing attackers to generate valid malicious tokens without prior knowledge.
This vulnerability allows attackers to execute arbitrary SQL queries by supplying crafted pagination tokens, exploiting improper sanitization of user input in SQL commands.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary SQL queries against the database used by Ory Kratos.
- Compromise of confidentiality: attackers can access sensitive data.
- Compromise of integrity: attackers can modify or corrupt data.
- Compromise of availability: attackers can disrupt or disable the service.
Exploitation requires the attacker to have access to the ListCourierMessages API and the ability to supply raw pagination tokens, but once exploited, it can lead to significant damage to the system and its data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the ListCourierMessages Admin API in Ory Kratos and is exploitable by supplying crafted pagination tokens that lead to SQL injection. Detection would involve monitoring or testing this API for abnormal behavior or injection attempts.
Since the vulnerability depends on the use of the default or known pagination secret, one detection method is to check if the `secrets.pagination` configuration is set to a custom cryptographically secure value.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediately configure a custom value for the `secrets.pagination` setting by generating a cryptographically secure random secret. For example, you can generate a secure secret using the command: `openssl rand -base64 32`.
Upgrade Ory Kratos to version 26.2.0 or later, where this vulnerability has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary SQL queries, compromising the confidentiality, integrity, and availability of the system.
Such a compromise can lead to unauthorized access to sensitive personal or health data managed by Ory Kratos, potentially violating data protection regulations like GDPR and HIPAA.
Therefore, failure to mitigate this vulnerability could result in non-compliance with these standards due to inadequate protection of sensitive information.