Ory Kratos is an open-source identity and user management system widely used for cloud services authentication. Prior to version 26.2.0, its ListCourierMessages Admin API contains a critical SQL injection vulnerability (CVE-2026-33503) due to improper neutralization of special elements in SQL commands (CWE-89). The vulnerability stems from the pagination implementation, which uses encrypted pagination tokens to manage API responses. These tokens are encrypted with a secret configured in the `secrets.pagination` setting. If this secret is not explicitly set by administrators, Kratos defaults to a publicly known encryption secret. Attackers who know this secret—either by default or through disclosure—can craft malicious pagination tokens that, when processed by the API, inject arbitrary SQL commands. This allows attackers with administrative privileges to manipulate backend databases, potentially leading to data leakage, unauthorized data modification, or denial of service. The vulnerability has a CVSS v3.1 score of 7.2, reflecting high severity with network attack vector, low attack complexity, and requiring high privileges but no user interaction. No known exploits are reported in the wild yet. The recommended remediation is twofold: first, immediately configure a strong, cryptographically secure custom secret for `secrets.pagination` to prevent token forgery; second, upgrade Ory Kratos to version 26.2.0 or later, where the vulnerability is fixed by improving token handling and input validation.

This vulnerability can have severe consequences for organizations using Ory Kratos for identity and authentication management. Successful exploitation allows attackers with administrative access to execute arbitrary SQL commands on the backend database, compromising the confidentiality, integrity, and availability of sensitive user data and authentication records. This can lead to unauthorized data disclosure, privilege escalation, data tampering, or service disruption. Since Ory Kratos is often deployed in cloud environments managing critical identity services, such a compromise could cascade into broader system breaches, affecting multiple applications relying on Kratos for authentication. The reliance on a default secret if not configured increases the risk of exploitation in misconfigured environments. Organizations with exposed or poorly secured admin APIs are particularly at risk. Although exploitation requires high privileges, the impact of a successful attack is significant, potentially undermining trust in identity management and causing regulatory compliance issues.

To mitigate this vulnerability effectively, organizations should: 1) Immediately set a custom, cryptographically secure random value for the `secrets.pagination` configuration parameter to prevent attackers from generating valid malicious pagination tokens. Use a strong random generator compliant with cryptographic standards to ensure token encryption security. 2) Upgrade Ory Kratos to version 26.2.0 or later as soon as possible, as this version contains fixes that address the root cause of the SQL injection vulnerability by improving input validation and token handling. 3) Restrict access to the ListCourierMessages Admin API to trusted administrators only, ideally limiting network exposure through firewall rules or VPNs to reduce attack surface. 4) Monitor logs for unusual API requests involving pagination tokens that could indicate attempted exploitation. 5) Conduct regular security audits and configuration reviews to ensure no default secrets or weak configurations remain. 6) Employ database activity monitoring to detect anomalous SQL queries that could signal injection attempts. These steps go beyond generic advice by emphasizing immediate secret configuration, controlled API exposure, and proactive monitoring tailored to this vulnerability's specifics.