CVE-2026-33503
Description
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. As a first line of defense, immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret. Next, upgrade Kratos** to a fixed version, 26.2.0 or later, as soon as possible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ory/kratosGo | < 1.3.1-0.20260320110106-9d7085948039 | 1.3.1-0.20260320110106-9d7085948039 |
Affected products
3- ghsa-coords2 versions
< 1.3.1-0.20260320110106-9d7085948039+ 1 more
- (no CPE)range: < 1.3.1-0.20260320110106-9d7085948039
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-hgx2-28f8-6g2rghsaADVISORY
- github.com/ory/kratos/security/advisories/GHSA-hgx2-28f8-6g2rnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-33503ghsaADVISORY
News mentions
0No linked articles in our index yet.