CVE-2026-33503: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in ory kratos
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Kratos** to a fixed version, 26.2.0 or later, as soon as possible.
AI Analysis
Technical Summary
CVE-2026-33503 is a SQL injection vulnerability (CWE-89) in Ory Kratos before version 26.2.0 affecting the ListCourierMessages Admin API. The issue arises from the pagination implementation where tokens are encrypted using a secret configured in `secrets.pagination`. If this secret is not set, Kratos uses a default, publicly known secret, enabling attackers who know this secret to craft malicious pagination tokens that lead to SQL injection. The vulnerability allows an attacker with high privileges to execute arbitrary SQL commands, impacting confidentiality, integrity, and availability. The vendor has released version 26.2.0 to address this issue.
Potential Impact
Successful exploitation can lead to full compromise of the database via SQL injection, affecting confidentiality, integrity, and availability of data managed by Ory Kratos. The vulnerability requires knowledge of the pagination secret or exploitation of the default secret if not configured. This can allow attackers to execute arbitrary SQL commands through crafted pagination tokens in the Admin API.
Mitigation Recommendations
A patch is available in Ory Kratos version 26.2.0 and later. Users should upgrade to this version as soon as possible. As an immediate mitigation, configure a custom, cryptographically secure value for the `secrets.pagination` setting to prevent use of the default publicly known secret. These steps effectively mitigate the vulnerability.
CVE-2026-33503: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in ory kratos
Description
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Kratos** to a fixed version, 26.2.0 or later, as soon as possible.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33503 is a SQL injection vulnerability (CWE-89) in Ory Kratos before version 26.2.0 affecting the ListCourierMessages Admin API. The issue arises from the pagination implementation where tokens are encrypted using a secret configured in `secrets.pagination`. If this secret is not set, Kratos uses a default, publicly known secret, enabling attackers who know this secret to craft malicious pagination tokens that lead to SQL injection. The vulnerability allows an attacker with high privileges to execute arbitrary SQL commands, impacting confidentiality, integrity, and availability. The vendor has released version 26.2.0 to address this issue.
Potential Impact
Successful exploitation can lead to full compromise of the database via SQL injection, affecting confidentiality, integrity, and availability of data managed by Ory Kratos. The vulnerability requires knowledge of the pagination secret or exploitation of the default secret if not configured. This can allow attackers to execute arbitrary SQL commands through crafted pagination tokens in the Admin API.
Mitigation Recommendations
A patch is available in Ory Kratos version 26.2.0 and later. Users should upgrade to this version as soon as possible. As an immediate mitigation, configure a custom, cryptographically secure value for the `secrets.pagination` setting to prevent use of the default publicly known secret. These steps effectively mitigate the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T16:59:08.888Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c570d8f4197a8e3bef1f0e
Added to database: 3/26/2026, 5:46:00 PM
Last enriched: 4/3/2026, 12:57:15 PM
Last updated: 5/10/2026, 7:50:07 AM
Views: 50
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.