CVE-2026-33504
Received Received - Intake
SQL Injection in Ory Hydra Admin APIs via Pagination Tokens

Publication date: 2026-03-26

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. If this value is not set, Hydra falls back to using `secrets.system`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. This issue can be exploited when one or more admin APIs listed above are directly or indirectly accessible to the attacker; the attacker can pass a raw pagination token to the affected API; and the configuration value `secrets.pagination` is set and known to the attacker, or `secrets.pagination` is not set and `secrets.system` is known to the attacker. An attacker can execute arbitrary SQL queries through forged pagination tokens. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Hydra to the fixed version, 26.2.0 as soon as possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-07
Generated
2026-05-07
AI Q&A
2026-03-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33504
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ory hydra to 26.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an attacker to execute arbitrary SQL queries on the backend database, compromising the confidentiality, integrity, and availability of data.

Such a compromise can lead to unauthorized access, modification, or deletion of sensitive data, which may result in violations of data protection regulations like GDPR and HIPAA that require strict controls over data confidentiality and integrity.

Therefore, if exploited, this vulnerability could negatively impact compliance with these common standards and regulations by exposing protected data or disrupting its availability.


Can you explain this vulnerability to me?

CVE-2026-33504 is a high-severity SQL injection vulnerability in Ory Hydra's Admin APIs, specifically affecting the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers endpoints.

The vulnerability arises from a flaw in the pagination implementation where pagination tokens are encrypted using a secret configured in `secrets.pagination`. If this secret is not set, Hydra uses `secrets.system` instead.

An attacker who knows either of these secrets can craft malicious pagination tokens that lead to SQL injection attacks by passing these tokens to the vulnerable APIs.

Exploitation requires that the attacker has direct or indirect access to the affected Admin APIs, can supply a raw pagination token, and knows the secret used for token encryption.


How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary SQL queries on the backend database of Ory Hydra.

The impact includes compromising the confidentiality, integrity, and availability of data managed by the affected system.

Because the attacker can run arbitrary SQL commands, they could potentially access sensitive information, modify or delete data, or disrupt service availability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves checking if the vulnerable Admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers) are accessible and if the pagination tokens can be manipulated.

Since exploitation requires knowledge of the secrets used for pagination tokens, detection can include verifying the configuration of `secrets.pagination` and `secrets.system` values.

Commands to help detect the vulnerability might include:

  • Checking the version of Ory Hydra to see if it is prior to 26.2.0 (e.g., `hydra version`).
  • Testing access to the vulnerable Admin API endpoints to see if they respond to requests with pagination tokens.
  • Reviewing the configuration files or environment variables for the presence and values of `secrets.pagination` and `secrets.system`.
  • Using network monitoring tools to detect suspicious or malformed pagination tokens being sent to the Admin APIs.

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation steps are:

  • Configure a custom, cryptographically secure value for `secrets.pagination` by generating a strong secret, for example using the command: `openssl rand -base64 32`.
  • Upgrade Ory Hydra to version 26.2.0 or later, where the vulnerability has been fixed.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart