Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider widely used for identity and access management. Versions prior to 26.2.0 contain a critical SQL injection vulnerability (CVE-2026-33504) in the admin APIs listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers. The root cause lies in the pagination implementation, where pagination tokens are encrypted using a secret configured in `secrets.pagination`. If this secret is unset, Hydra defaults to using `secrets.system`. An attacker who knows either secret can craft malicious pagination tokens that bypass input validation and inject arbitrary SQL commands into backend queries. This vulnerability requires the attacker to have access to the affected admin APIs, which may be exposed directly or indirectly. Exploiting this flaw allows execution of arbitrary SQL queries, potentially leading to data leakage, modification, or deletion, and could compromise the entire OAuth2 server's integrity and availability. The CVSS v3.1 score is 7.2 (high), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild yet. The recommended remediation is to immediately configure a strong, cryptographically secure secret for `secrets.pagination` and upgrade to Ory Hydra version 26.2.0 or later, which contains the fix.

This vulnerability poses a significant risk to organizations using Ory Hydra for OAuth2 and OpenID Connect services. Exploitation can lead to unauthorized access to sensitive OAuth2 client and consent session data, manipulation or deletion of critical authentication records, and potential full compromise of the backend database. This undermines the trustworthiness of authentication and authorization processes, potentially allowing attackers to escalate privileges, impersonate users, or disrupt service availability. Organizations relying on Ory Hydra for identity management in cloud environments, microservices architectures, or critical infrastructure could face severe operational and reputational damage. The requirement for high privileges to exploit somewhat limits the attack surface, but insider threats or compromised admin interfaces increase risk. Failure to patch promptly may expose organizations to data breaches, regulatory non-compliance, and service outages.

1. Immediately configure a strong, cryptographically secure random secret for the `secrets.pagination` configuration parameter to prevent attackers from forging valid pagination tokens. Avoid using default or system secrets. 2. Upgrade Ory Hydra to version 26.2.0 or later, which contains the patch addressing this SQL injection vulnerability. 3. Restrict access to the affected admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, listTrustedOAuth2JwtGrantIssuers) to trusted administrators only, using network segmentation, firewall rules, and strong authentication mechanisms. 4. Monitor logs and audit trails for unusual or unauthorized API access patterns, especially attempts to use malformed pagination tokens. 5. Conduct regular security reviews and penetration testing focused on OAuth2 server components to detect similar injection or access control issues. 6. Implement database-level protections such as least privilege for the Hydra database user and query parameterization where possible. 7. Educate DevOps and security teams about the importance of secret management and timely patching of identity infrastructure components.