Description
Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. If this value is not set, Hydra falls back to using `secrets.system`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. This issue can be exploited when one or more admin APIs listed above are directly or indirectly accessible to the attacker; the attacker can pass a raw pagination token to the affected API; and the configuration value `secrets.pagination` is set and known to the attacker, or `secrets.pagination` is not set and `secrets.system` is known to the attacker. An attacker can execute arbitrary SQL queries through forged pagination tokens. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Hydra to the fixed version, 26.2.0 as soon as possible.
Published: 2026-03-26
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: arbitrary SQL injection via forged pagination tokens
Action: Patch
AI Analysis

Impact

A flaw in Ory Hydra’s administrative pagination handling allows an attacker to supply a crafted token that is directly inserted into an SQL statement. This results in injection of arbitrary SQL code, providing the attacker with the ability to read, modify or delete database contents. The vulnerability does not grant arbitrary system code execution, but it does enable full compromise of the Hydra data store.

Affected Systems

The issue affects Ory Hydra versions older than 26.2.0, specifically the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers admin APIs. Pagination tokens are encrypted with the secret configured in secrets.pagination; if that secret is not set, secrets.system is used instead. An attacker who can reach these APIs and knows the relevant secret can craft a token that triggers the injection.

Risk and Exploitability

The CVSS score of 7.2 indicates a serious level of risk, while the EPSS score is reported as less than 1% and the vulnerability is not present in the CISA KEV catalog. Exploitation requires direct access to one of the affected admin endpoints and knowledge of the pagination or system secret. If the secret is misconfigured or exposed, the attack path is straightforward; otherwise, the risk is lowered by secrecy of the key.

Generated by OpenCVE AI on April 8, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ory Hydra to version 26.2.0 or later
  • Configure a new cryptographically secure value for secrets.pagination (or secrets.system if pagination is unset)
  • Restrict access to the admin APIs so that only trusted hosts or privileged users can reach them
  • Monitor API logs for unusual pagination token usage or repeated injection attempts

Generated by OpenCVE AI on April 8, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r9w3-57w2-gch2 Ory Hydra has a SQL injection via forged pagination tokens
History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ory:hydra:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Ory
Ory hydra
Vendors & Products Ory
Ory hydra

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. If this value is not set, Hydra falls back to using `secrets.system`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. This issue can be exploited when one or more admin APIs listed above are directly or indirectly accessible to the attacker; the attacker can pass a raw pagination token to the affected API; and the configuration value `secrets.pagination` is set and known to the attacker, or `secrets.pagination` is not set and `secrets.system` is known to the attacker. An attacker can execute arbitrary SQL queries through forged pagination tokens. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Hydra to the fixed version, 26.2.0 as soon as possible.
Title Ory Hydra has a SQL injection via forged pagination tokens
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ory Hydra
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:46:01.194Z

Reserved: 2026-03-20T16:59:08.888Z

Link: CVE-2026-33504

cve-icon Vulnrichment

Updated: 2026-03-26T18:45:55.864Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T18:16:31.060

Modified: 2026-04-07T21:15:36.000

Link: CVE-2026-33504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:11Z

Weaknesses