CVE-2026-33505
SQL Injection in Ory Keto GetRelationships API via Pagination Tokens
Publication date: 2026-03-26
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ory | keto | to 26.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary SQL queries on the backend database, compromising confidentiality, integrity, and availability of the system.
Such a compromise could lead to unauthorized access, modification, or deletion of sensitive data, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
Therefore, if exploited, this vulnerability could negatively impact compliance with these common standards and regulations by exposing or altering protected data.
Can you explain this vulnerability to me?
CVE-2026-33505 is a SQL injection vulnerability in the GetRelationships API of Ory Keto, an open source authorization server. The issue arises from flaws in the API's pagination implementation, where pagination tokens are encrypted using a secret configured in `secrets.pagination`.
If an attacker knows this secret or if the secret is not set (causing Keto to use a publicly known default secret), the attacker can craft malicious pagination tokens. These tokens can be used to inject arbitrary SQL queries into the backend database.
Exploitation requires that the GetRelationships API is accessible to the attacker, the attacker can supply raw pagination tokens, and the secret is either known or unset. This vulnerability allows attackers to manipulate SQL commands, leading to potential full compromise of the system's confidentiality, integrity, and availability.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing an attacker to execute arbitrary SQL queries on the backend database of Ory Keto.
- Compromise of confidentiality: sensitive data can be exposed.
- Compromise of integrity: data can be altered or corrupted.
- Compromise of availability: the system or database can be disrupted or made unavailable.
Overall, this can lead to a full compromise of the affected system, impacting the security and trustworthiness of the authorization server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if the GetRelationships API in Ory Keto is accessible and if the `secrets.pagination` configuration is unset or uses the default hard-coded secret. Since the vulnerability arises from the ability to supply raw pagination tokens that can lead to SQL injection, monitoring API requests for unusual or malformed pagination tokens could indicate exploitation attempts.
There are no specific commands provided in the available resources to detect this vulnerability directly. However, you can check the current configuration of the `secrets.pagination` value in your Ory Keto setup to see if it is set to a custom secret or left as the default.
For example, to check the configuration file or environment variables where `secrets.pagination` is set, you might use commands like:
- grep -r 'secrets.pagination' /path/to/keto/config
- env | grep SECRETS_PAGINATION
Additionally, monitoring network traffic or API logs for suspicious pagination tokens or unexpected SQL errors in logs could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should first configure a custom, cryptographically secure random secret for the `secrets.pagination` setting in your Ory Keto configuration. This prevents attackers from using the publicly known default secret to craft malicious pagination tokens.
- Generate a secure secret using a command such as: openssl rand -base64 32
- Set the generated secret as the value for `secrets.pagination` in your Keto configuration.
Next, upgrade your Ory Keto installation to version 26.2.0 or later, where this vulnerability has been fixed.