Description
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Kratos** to a fixed version, 26.2.0 or later, as soon as possible.
Published: 2026-03-26
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection that can alter or expose data via forged pagination tokens
Action: Immediate Patch
AI Analysis

Impact

Ory Kratos exposes a SQL injection flaw in its ListCourierMessages Admin API before version 26.2.0. Pagination tokens are encrypted with a secret; if an attacker knows that secret or if the system uses the publicly known default, they can construct malicious tokens that cause the backend to execute arbitrary SQL statements, potentially compromising data integrity or confidentiality.

Affected Systems

Any installation of Ory Kratos running a version earlier than 26.2.0 without a custom pagination secret is vulnerable. The vulnerability applies to the ListCourierMessages API endpoint in the identity management service.

Risk and Exploitability

The CVSS score of 7.2 indicates a medium‑to‑high severity. While EPSS data is not available, the attack requires knowledge of the pagination secret or reliance on the default known value, making exploitation more difficult but still feasible. The vulnerability is not listed in the CISA KEV catalog, yet the potential for data compromise warrants immediate attention.

Generated by OpenCVE AI on March 26, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Generate a cryptographically secure random value for secrets.pagination to replace the default known secret
  • Upgrade Ory Kratos to version 26.2.0 or later
  • Verify that ListCourierMessages API is now protected from SQL injection by testing pagination with random tokens
  • Monitor application logs for suspicious pagination token activity
  • Apply any vendor security patches that address related weaknesses after upgrade

Generated by OpenCVE AI on March 26, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hgx2-28f8-6g2r Ory Kratos has a SQL injection via forged pagination tokens
History

Fri, 17 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ory:kratos:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Ory
Ory kratos
Vendors & Products Ory
Ory kratos

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Kratos** to a fixed version, 26.2.0 or later, as soon as possible.
Title Ory Kratos has a SQL injection via forged pagination tokens
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ory Kratos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T03:55:20.074Z

Reserved: 2026-03-20T16:59:08.888Z

Link: CVE-2026-33503

cve-icon Vulnrichment

Updated: 2026-03-26T17:46:04.924Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T18:16:30.897

Modified: 2026-04-17T19:44:20.227

Link: CVE-2026-33503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:48Z

Weaknesses