CVE-2026-33503
Published: 26 March 2026
Summary
CVE-2026-33503 is a high-severity SQL Injection (CWE-89) vulnerability in Ory Kratos. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of information inputs such as pagination tokens, directly preventing SQL injection exploitation in the ListCourierMessages Admin API.
SI-2 mandates timely identification, reporting, and remediation of flaws, including upgrading Ory Kratos to version 26.2.0 or later to fix the pagination SQL injection vulnerability.
CM-6 enforces secure configuration settings, such as configuring a custom cryptographically secure pagination secret to block attackers from crafting malicious tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible Admin API directly enables exploitation of a public-facing (or remotely reachable) application vulnerability for DB impacts.
NVD Description
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted…
more
using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Kratos** to a fixed version, 26.2.0 or later, as soon as possible.
Deeper analysisAI
CVE-2026-33503 is a SQL injection vulnerability in the ListCourierMessages Admin API of Ory Kratos, an open-source identity, user management, and authentication system for cloud services. The flaw affects versions prior to 26.2.0 and stems from improper handling of pagination tokens, which are encrypted using a secret configured in `secrets.pagination`. If this secret is not explicitly set, Kratos defaults to a publicly known encryption secret, enabling attackers to generate valid pagination tokens.
Exploitation requires high privileges (PR:H per CVSS 3.1 score of 7.2), typically access to the Admin API, allowing a network-based attacker with low complexity to craft malicious pagination tokens if they know or guess the pagination secret. Successful exploitation leads to SQL injection, granting high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling data exfiltration, modification, or denial of service against the underlying database.
The advisory recommends two mitigations: first, immediately configure a custom, cryptographically secure random value for `secrets.pagination` as a defense-in-depth measure; second, upgrade to Ory Kratos version 26.2.0 or later, where the pagination implementation is fixed. Details are available in the GitHub Security Advisory at https://github.com/ory/kratos/security/advisories/GHSA-hgx2-28f8-6g2r.
Details
- CWE(s)