CVE-2026-33503

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33503

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33503.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33503

Aliases

Downstream

SUSE-SU-2026:1135-1

Related

SUSE-SU-2026:1135-1

Published

2026-03-26T17:32:16.304Z

Modified

2026-04-10T05:42:48.828521Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Ory Kratos has a SQL injection via forged pagination tokens

Details

Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. As a first line of defense, immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret. Next, upgrade Kratos** to a fixed version, 26.2.0 or later, as soon as possible.

Database specific

{
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33503.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/ory/kratos

Affected ranges

Type

GIT

Repo

https://github.com/ory/kratos

Events

Introduced

Fixed

9d7085948039ffb8960160d4979f71527b5cf4d5

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "26.2.0"
        }
    ]
}

Affected versions

v0.*

v0.0.1-alpha.10+oryOS.15

v0.0.1-alpha.11

v0.0.1-alpha.3

v0.0.1-alpha.5

v0.0.1-alpha.6

v0.0.1-alpha.7

v0.0.1-alpha.8

v0.0.1-alpha.9

v0.0.2-alpha.1

v0.0.3-alpha.1

v0.0.3-alpha.10

v0.0.3-alpha.11

v0.0.3-alpha.12

v0.0.3-alpha.13

v0.0.3-alpha.14

v0.0.3-alpha.15

v0.0.3-alpha.2

v0.0.3-alpha.3

v0.0.3-alpha.4

v0.0.3-alpha.5

v0.0.3-alpha.7

v0.0.3-alpha.8+oryOS.15

v0.0.3-alpha.9

v0.1.0-alpha.1

v0.1.0-alpha.2

v0.1.0-alpha.3

v0.1.0-alpha.4

v0.1.0-alpha.5

v0.1.0-alpha.6

v0.1.1-alpha.1

v0.10.0

v0.10.1

v0.11.0

v0.11.0-alpha.0.pre.2

v0.11.1

v0.13.0

v0.2.0-alpha.2

v0.2.1-alpha.1

v0.3.0-alpha.1

v0.4.0-alpha.1

v0.4.2-alpha.1

v0.4.3-alpha.1

v0.4.4-alpha.1

v0.4.5-alpha.1

v0.4.6-alpha.1

v0.5.0-alpha.1

v0.5.1-alpha.1

v0.5.2-alpha.1

v0.5.3-alpha.1

v0.5.4-alpha.1

v0.5.5-alpha.1

v0.6.0-alpha.1

v0.6.0-alpha.2

v0.6.1-alpha.1

v0.6.2-alpha.1

v0.6.3-alpha.1

v0.7.0-alpha.1

v0.7.1-alpha.1

v0.7.3-alpha.1

v0.7.4-alpha.1

v0.7.5-alpha.1

v0.7.6-alpha.1

v0.8.0-alpha.1

v0.8.0-alpha.2

v0.8.0-alpha.3

v0.8.0-alpha.4.pre.0

v0.8.1-alpha.1

v0.8.2-alpha.1

v0.8.3-alpha.1.pre.0

v0.9.0-alpha.1

v0.9.0-alpha.2

v0.9.0-alpha.3

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0

v25.*

v25.4.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33503.json"