CVE-2026-33504
Published: 26 March 2026
Summary
CVE-2026-33504 is a high-severity SQL Injection (CWE-89) vulnerability in Ory Hydra. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely remediation through upgrading to Ory Hydra version 26.2.0, which fixes the SQL injection flaws in pagination token handling.
Mandates validation of pagination token inputs to the affected Admin APIs, preventing SQL injection via crafted malicious tokens.
Requires secure configuration of cryptographically strong, unique secrets for pagination token encryption, blocking token forgery by attackers lacking secret knowledge.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in accessible Admin APIs directly enables application exploitation (T1190) and arbitrary DB queries for collection (T1213.006) or stored data manipulation (T1565.001).
NVD Description
Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are…
more
encrypted using the secret configured in `secrets.pagination`. If this value is not set, Hydra falls back to using `secrets.system`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. This issue can be exploited when one or more admin APIs listed above are directly or indirectly accessible to the attacker; the attacker can pass a raw pagination token to the affected API; and the configuration value `secrets.pagination` is set and known to the attacker, or `secrets.pagination` is not set and `secrets.system` is known to the attacker. An attacker can execute arbitrary SQL queries through forged pagination tokens. As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret. Next, upgrade Hydra to the fixed version, 26.2.0 as soon as possible.
Deeper analysisAI
CVE-2026-33504 is a SQL injection vulnerability affecting Ory Hydra, an OAuth 2.0 Server and OpenID Connect Provider, in versions prior to 26.2.0. The flaw exists in the pagination implementation of the Admin APIs listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers. Pagination tokens are encrypted using the configured secret in secrets.pagination, or fall back to secrets.system if not set. This allows attackers who know the relevant secret to craft malicious tokens that inject SQL payloads.
An attacker with high privileges (PR:H per CVSS 3.1 score of 7.2) can exploit this if the affected Admin APIs are directly or indirectly accessible and they can pass a raw pagination token. By forging tokens with knowledge of secrets.pagination (if set) or secrets.system (if fallback), the attacker can execute arbitrary SQL queries, potentially compromising confidentiality, integrity, and availability (C:H/I:H/A:H) of the database.
The GitHub security advisory (GHSA-r9w3-57w2-gch2) recommends as a first defense configuring a custom, cryptographically secure random value for secrets.pagination immediately. The definitive mitigation is upgrading to Ory Hydra version 26.2.0, which addresses the pagination flaws.
Details
- CWE(s)