Description
Ory Keto is am open source authorization server for managing permissions at scale. Prior to version 26.2.0, the GetRelationships API in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Keto falls back to a hard-coded default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. This issue can be exploited when GetRelationships API is directly or indirectly accessible to the attacker, the attacker can pass a raw pagination token to the affected API, and the configuration value `secrets.pagination` is not set or known to the attacker. An attacker can execute arbitrary SQL queries through forged pagination tokens. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Keto to a fixed version, 26.2.0 or later, as soon as possible.
Published: 2026-03-26
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary SQL Injection via forged pagination tokens
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an improper handling of encrypted pagination tokens in the GetRelationships API of Ory Keto. When a token is decrypted, its content is incorporated directly into a SQL query without sufficient validation. An attacker who can produce a valid token – which is feasible if the default pagination secret is used or if the secret is known – can embed SQL statements that execute against the underlying database. This permits arbitrary SQL execution, allowing read, manipulation, or deletion of authorization data and thereby compromising the confidentiality and integrity of the system.

Affected Systems

All installations of Ory Keto released before version 26.2.0 are affected. The risk is greatest when the configuration value `secrets.pagination` is not overridden or when an attacker is able to determine the default public key. If the GetRelationships endpoint is reachable by an external actor, the attacker can supply a forged pagination token to trigger the flaw.

Risk and Exploitability

The CVSS score of 7.2 indicates a medium‑to‑high severity vulnerability. EPSS data is not available, but the issue can be triggered through a single HTTP request to a publicly reachable API, making exploitation straightforward. The vulnerability is not listed in the CISA KEV catalog; however, the requirement for only an accessible endpoint and a known or predictable secret means that the attack vector is high probability. The impact includes full read/write access to permission data via arbitrary SQL execution.

Generated by OpenCVE AI on March 26, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ory Keto to version 26.2.0 or later
  • Configure a unique, cryptographically secure value for the `secrets.pagination` setting

Generated by OpenCVE AI on March 26, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c38g-mx2c-9wf2 Ory Keto has a SQL injection via forged pagination tokens
History

Fri, 17 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ory:keto:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Ory
Ory keto
Vendors & Products Ory
Ory keto

Thu, 26 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Ory Keto is am open source authorization server for managing permissions at scale. Prior to version 26.2.0, the GetRelationships API in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Keto falls back to a hard-coded default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. This issue can be exploited when GetRelationships API is directly or indirectly accessible to the attacker, the attacker can pass a raw pagination token to the affected API, and the configuration value `secrets.pagination` is not set or known to the attacker. An attacker can execute arbitrary SQL queries through forged pagination tokens. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Keto to a fixed version, 26.2.0 or later, as soon as possible.
Title Ory Keto has a SQL injection via forged pagination tokens
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ory Keto
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T14:55:58.608Z

Reserved: 2026-03-20T16:59:08.888Z

Link: CVE-2026-33505

cve-icon Vulnrichment

Updated: 2026-03-30T13:58:02.888Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T19:17:04.753

Modified: 2026-04-17T19:45:13.037

Link: CVE-2026-33505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:46Z

Weaknesses