Ory Keto is an open-source authorization server designed to manage permissions at scale. Prior to version 26.2.0, the GetRelationships API in Ory Keto contains a critical SQL injection vulnerability (CVE-2026-33505) due to improper neutralization of special elements in SQL commands (CWE-89). The vulnerability stems from the pagination implementation, where pagination tokens are encrypted using a secret configured in `secrets.pagination`. If this secret is not set, Keto defaults to a hard-coded, publicly known secret. An attacker who knows or can guess this secret can craft malicious pagination tokens that, when passed to the GetRelationships API, result in execution of arbitrary SQL queries. This can lead to unauthorized data disclosure, data manipulation, or denial of service. Exploitation requires network access to the API and knowledge or absence of the pagination secret. The vulnerability has a CVSS 3.1 base score of 7.2 (high severity), reflecting its potential to compromise confidentiality, integrity, and availability without user interaction but requiring some privileges or access. The recommended remediation is twofold: first, immediately configure a strong, cryptographically secure secret for `secrets.pagination` to prevent token forgery; second, upgrade Ory Keto to version 26.2.0 or later where the vulnerability is fixed. No known exploits are reported in the wild yet, but the risk remains significant due to the ease of token forgery when the secret is unset or known.

The SQL injection vulnerability in Ory Keto's GetRelationships API can have severe consequences for organizations relying on this authorization server. Successful exploitation allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive permission data, modification or deletion of authorization records, and disruption of authorization services. This compromises the confidentiality, integrity, and availability of the authorization system, which is critical for enforcing access controls across applications and services. Organizations may face data breaches, privilege escalation, and service outages, impacting business operations and regulatory compliance. Since Ory Keto is used in cloud-native and microservices environments, the vulnerability could be leveraged to pivot attacks within internal networks. The impact is amplified if the default or weak pagination secret is used, making exploitation straightforward. Although no active exploits are currently known, the vulnerability's high severity and ease of exploitation in misconfigured deployments pose a significant risk worldwide.

1. Immediately configure a strong, cryptographically secure random secret for the `secrets.pagination` configuration in Ory Keto to prevent attackers from forging valid pagination tokens. Avoid using default or guessable secrets. 2. Upgrade all Ory Keto instances to version 26.2.0 or later, which contains the fix for this SQL injection vulnerability. 3. Restrict network access to the GetRelationships API endpoint to trusted clients only, using network segmentation, firewalls, or API gateways to reduce exposure. 4. Implement monitoring and alerting for unusual API usage patterns or malformed pagination tokens that could indicate exploitation attempts. 5. Conduct regular security audits and penetration testing focused on authorization components to detect similar injection flaws. 6. Review and harden database permissions used by Ory Keto to limit the impact of potential SQL injection attacks. 7. Educate development and operations teams about secure configuration management to prevent fallback to insecure defaults.