Description
Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. If this value is not set, Hydra falls back to using `secrets.system`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. This issue can be exploited when one or more admin APIs listed above are directly or indirectly accessible to the attacker; the attacker can pass a raw pagination token to the affected API; and the configuration value `secrets.pagination` is set and known to the attacker, or `secrets.pagination` is not set and `secrets.system` is known to the attacker. An attacker can execute arbitrary SQL queries through forged pagination tokens. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Hydra to the fixed version, 26.2.0 as soon as possible.
Published: 2026-03-26
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: Arbitrary SQL execution via forged pagination tokens
Action: Patch Immediately
AI Analysis

Impact

Ory Hydra, an OAuth 2.0 Server and OpenID Connect Provider, contains a flaw in the pagination logic for the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs. When a pagination token is encrypted with a secret that the attacker can learn, the token can be crafted to inject raw SQL. This classic SQL injection (CWE‑89) lets an attacker run arbitrary SQL statements against Hydra’s database, potentially exposing or destroying confidential data and compromising system integrity.

Affected Systems

The vulnerability affects all Ory Hydra installations running a version earlier than 26.2.0. The Admin APIs must be reachable and the attacker must know either the configured secrets.pagination value or, if that is unset, the fallback secrets.system value. Any user or service that can call these endpoints with a forged token is subject to the risk.

Risk and Exploitability

Based on the description, the likely attack vector is remote via the admin API: an attacker may send a crafted pagination token over the network to an exposed endpoint. The exploit requires knowledge of the secret used to encrypt pagination tokens, and it immediately allows arbitrary SQL execution on the database. A CVSS score of 7.2 classifies the flaw as high impact, and although EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog, the potential for full database compromise makes it a serious concern. Prompt remediation is therefore recommended.

Generated by OpenCVE AI on March 26, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hydra to version 26.2.0 or later as soon as possible
  • If an upgrade cannot be performed immediately, generate a new cryptographically strong value for secrets.pagination and ensure it is used instead of the fallback secrets.system
  • Restrict access to the Admin APIs so that only trusted administrators can call them
  • Monitor database activity for unexpected queries that may indicate exploitation attempts

Generated by OpenCVE AI on March 26, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r9w3-57w2-gch2 Ory Hydra has a SQL injection via forged pagination tokens
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Ory
Ory hydra
Vendors & Products Ory
Ory hydra

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. If this value is not set, Hydra falls back to using `secrets.system`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. This issue can be exploited when one or more admin APIs listed above are directly or indirectly accessible to the attacker; the attacker can pass a raw pagination token to the affected API; and the configuration value `secrets.pagination` is set and known to the attacker, or `secrets.pagination` is not set and `secrets.system` is known to the attacker. An attacker can execute arbitrary SQL queries through forged pagination tokens. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Hydra to the fixed version, 26.2.0 as soon as possible.
Title Ory Hydra has a SQL injection via forged pagination tokens
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ory Hydra
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:46:01.194Z

Reserved: 2026-03-20T16:59:08.888Z

Link: CVE-2026-33504

cve-icon Vulnrichment

Updated: 2026-03-26T18:45:55.864Z

cve-icon NVD

Status : Received

Published: 2026-03-26T18:16:31.060

Modified: 2026-03-26T18:16:31.060

Link: CVE-2026-33504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:47Z

Weaknesses