Cyber Resilience

CVE-2026-33503

High

Published: 26 March 2026

Published
26 March 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33503 is a high-severity SQL Injection (CWE-89) vulnerability in Ory Kratos. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33503 is a SQL injection vulnerability in the ListCourierMessages Admin API of Ory Kratos, an open-source identity, user management, and authentication system for cloud services. The flaw affects versions prior to 26.2.0 and stems from improper handling of pagination tokens, which are encrypted using a secret configured in `secrets.pagination`. If this secret is not explicitly set, Kratos defaults to a publicly known encryption secret, enabling attackers to generate valid pagination tokens.

Exploitation requires high privileges (PR:H per CVSS 3.1 score of 7.2), typically access to the Admin API, allowing a network-based attacker with low complexity to craft malicious pagination tokens if they know or guess the pagination secret. Successful exploitation leads to SQL injection, granting high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling data exfiltration, modification, or denial of service against the underlying database.

The advisory recommends two mitigations: first, immediately configure a custom, cryptographically secure random value for `secrets.pagination` as a defense-in-depth measure; second, upgrade to Ory Kratos version 26.2.0 or later, where the pagination implementation is fixed. Details are available in the GitHub Security Advisory at https://github.com/ory/kratos/security/advisories/GHSA-hgx2-28f8-6g2r.

EU & UK References

Vulnerability details

Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted…

more

using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Kratos** to a fixed version, 26.2.0 or later, as soon as possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in network-accessible Admin API directly enables exploitation of a public-facing (or remotely reachable) application vulnerability for DB impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33505Same vendor: Ory
CVE-2026-33504Same vendor: Ory
CVE-2026-33494Same vendor: Ory
CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89

Affected Assets

ory
kratos
≤ 26.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs such as pagination tokens, directly preventing SQL injection exploitation in the ListCourierMessages Admin API.

prevent

SI-2 mandates timely identification, reporting, and remediation of flaws, including upgrading Ory Kratos to version 26.2.0 or later to fix the pagination SQL injection vulnerability.

prevent

CM-6 enforces secure configuration settings, such as configuring a custom cryptographically secure pagination secret to block attackers from crafting malicious tokens.

References