CVE-2026-33503 Overview
CVE-2026-33503 is a SQL Injection vulnerability affecting Ory Kratos, an identity, user management, and authentication system designed for cloud services. The vulnerability exists in the ListCourierMessages Admin API due to flaws in its pagination implementation. Prior to version 26.2.0, pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret—or exploits the publicly known default value—can craft malicious tokens that lead to SQL injection attacks.
Critical Impact
Attackers can leverage SQL injection to read, modify, or delete sensitive identity and authentication data from the Kratos database, potentially compromising all user accounts managed by the affected installation.
Affected Products
- Ory Kratos versions prior to 26.2.0
- Installations using the default secrets.pagination configuration value
- Cloud deployments with exposed Admin API endpoints
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33503 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33503
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) stems from improper validation of pagination tokens in the ListCourierMessages Admin API. The vulnerability's network attack vector means remote attackers can exploit it without physical access to the target system. While high privileges are required to access the Admin API, the impact is severe across confidentiality, integrity, and availability dimensions.
The core issue lies in the pagination token encryption mechanism. Pagination tokens are encrypted using a secret stored in secrets.pagination. If an attacker knows this secret value, they can forge their own tokens containing SQL injection payloads. The situation is exacerbated by the fact that when secrets.pagination is not explicitly configured, Kratos falls back to a default encryption secret that is publicly documented in the codebase.
Root Cause
The root cause is a combination of two security weaknesses: insufficient input validation of decrypted pagination token contents before using them in SQL queries, and the use of a publicly known default encryption secret. When pagination tokens are decrypted, the extracted values are incorporated into database queries without proper sanitization or parameterization, allowing SQL injection when an attacker controls the token contents.
Attack Vector
An attacker targeting this vulnerability must first obtain knowledge of the pagination encryption secret. This can be achieved either by discovering the configured secret through other means or by targeting installations that use the publicly known default value. Once the secret is known, the attacker can encrypt malicious SQL payloads into valid pagination tokens. When these crafted tokens are submitted to the ListCourierMessages Admin API endpoint, the SQL injection payload is executed against the backend database.
The attack requires network access to the Admin API and appropriate privileges to invoke the ListCourierMessages endpoint. The vulnerability allows the attacker to manipulate SQL queries executed by the pagination logic, potentially leading to unauthorized data access, data modification, or denial of service through database manipulation.
Detection Methods for CVE-2026-33503
Indicators of Compromise
- Unusual or malformed pagination token values in Admin API request logs
- Unexpected SQL error messages or database exceptions in application logs
- Anomalous database query patterns or unexpected data access events
- Authentication or authorization anomalies in courier message retrieval operations
Detection Strategies
- Monitor Admin API endpoints for requests containing suspicious pagination tokens with encoded SQL syntax
- Implement database activity monitoring to detect unusual query patterns against courier message tables
- Review access logs for the ListCourierMessages API endpoint for anomalous request volumes or sources
- Deploy Web Application Firewall (WAF) rules to detect SQL injection patterns in API requests
Monitoring Recommendations
- Enable verbose logging on the Kratos Admin API to capture full request details including pagination parameters
- Configure database audit logging to track all queries executed by the Kratos application
- Set up alerting for SQL error conditions or database constraint violations in Kratos logs
- Monitor for configuration changes to the secrets.pagination setting
How to Mitigate CVE-2026-33503
Immediate Actions Required
- Configure a custom cryptographically secure random value for secrets.pagination in your Kratos configuration immediately
- Upgrade Ory Kratos to version 26.2.0 or later as soon as possible
- Review Admin API access controls and restrict access to trusted networks and authenticated administrators only
- Audit database logs for any signs of exploitation prior to patching
Patch Information
The vulnerability is fixed in Ory Kratos version 26.2.0 and later. Organizations should upgrade to the latest available version to receive the security fix. For additional details on the vulnerability and remediation, refer to the GitHub Security Advisory.
Workarounds
- As a first line of defense, immediately configure a custom secrets.pagination value using a cryptographically secure random string
- Restrict network access to the Admin API to only trusted internal networks or VPN connections
- Implement additional authentication and authorization controls for Admin API access
- Deploy a WAF with SQL injection detection rules in front of the Kratos Admin API
# Configuration example - Generate a secure pagination secret
# Generate a 32-byte cryptographically secure random secret
openssl rand -base64 32
# Add to your Kratos configuration (kratos.yml)
# secrets:
# pagination:
# - "YOUR_GENERATED_SECURE_SECRET_HERE"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
