CVE-2026-33505 Overview
CVE-2026-33505 is a SQL Injection vulnerability affecting Ory Keto, an open source authorization server designed for managing permissions at scale. The vulnerability exists in the GetRelationships API due to flaws in its pagination implementation. Prior to version 26.2.0, pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret—or exploits the publicly known hard-coded default when no custom secret is configured—can craft malicious tokens that lead to SQL injection, allowing arbitrary SQL query execution.
Critical Impact
Attackers can execute arbitrary SQL queries through forged pagination tokens, potentially leading to data exfiltration, unauthorized data modification, or complete database compromise.
Affected Products
- Ory Keto versions prior to 26.2.0
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33505 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33505
Vulnerability Analysis
This vulnerability (CWE-89: SQL Injection) arises from improper handling of pagination tokens within Ory Keto's GetRelationships API. The pagination mechanism relies on encrypted tokens to maintain query state across paginated results. When the secrets.pagination configuration value is not explicitly set, Keto falls back to a hard-coded default encryption secret that is publicly known in the source code.
Since attackers can obtain or infer this default secret, they can craft their own pagination tokens containing malicious SQL payloads. When the GetRelationships API processes these forged tokens, the embedded SQL injection payload is executed against the underlying database, bypassing input validation controls that would normally prevent such attacks.
Root Cause
The root cause is twofold: first, the use of a hard-coded default secret for pagination token encryption when secrets.pagination is not configured; second, insufficient validation and sanitization of the decrypted pagination token contents before incorporating them into SQL queries. This combination allows attackers to bypass the pagination token encryption mechanism and inject arbitrary SQL commands.
Attack Vector
This vulnerability can be exploited when:
- The GetRelationships API is directly or indirectly accessible to the attacker (network-accessible)
- The attacker can pass a raw pagination token to the affected API
- The configuration value secrets.pagination is not set (using default) or is known to the attacker
An attacker with knowledge of the encryption secret can construct a malicious pagination token, encrypt it using the known secret, and submit it to the GetRelationships API endpoint. The server decrypts the token and incorporates its contents into SQL queries without proper sanitization, resulting in SQL injection.
The vulnerability requires network access and high privileges (PR:H) to exploit, but no user interaction is necessary. Once exploited, it can result in high impact to confidentiality, integrity, and availability of the affected system.
Detection Methods for CVE-2026-33505
Indicators of Compromise
- Unusual or malformed pagination tokens in API request logs for the GetRelationships endpoint
- Database query logs showing unexpected SQL statements or syntax errors originating from the Keto application
- Anomalous database access patterns such as unauthorized table access or bulk data retrieval
- Error logs indicating SQL parsing failures or injection-related database errors
Detection Strategies
- Monitor GetRelationships API endpoints for requests containing abnormally long or suspicious pagination token values
- Implement database activity monitoring to detect SQL injection patterns such as UNION-based attacks, time-based blind injection, or out-of-band data exfiltration attempts
- Review application logs for decryption errors that may indicate tampered pagination tokens
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in API parameters
Monitoring Recommendations
- Enable detailed logging for all Keto API endpoints, particularly the GetRelationships API
- Configure alerting on database query anomalies, including queries that reference system tables or attempt privilege escalation
- Audit the secrets.pagination configuration to ensure a cryptographically secure random secret is configured and not using the default value
- Implement rate limiting on pagination-heavy endpoints to slow potential exploitation attempts
How to Mitigate CVE-2026-33505
Immediate Actions Required
- Immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret (minimum 32 bytes recommended)
- Upgrade Ory Keto to version 26.2.0 or later as soon as possible
- Restrict network access to the GetRelationships API to trusted clients only
- Review database and application logs for any signs of prior exploitation
Patch Information
Ory has released version 26.2.0 which addresses this SQL injection vulnerability. Organizations running affected versions should upgrade immediately. For detailed information, refer to the GitHub Security Advisory.
Workarounds
- Generate and configure a cryptographically secure random secret for secrets.pagination to prevent attackers from forging valid pagination tokens
- Implement network-level access controls to restrict access to the GetRelationships API to trusted internal services only
- Deploy a Web Application Firewall (WAF) with SQL injection detection rules in front of the Keto service
- Consider implementing additional authentication and authorization checks for API endpoints that accept pagination tokens
# Generate a cryptographically secure random secret for pagination
# Using OpenSSL to generate a 32-byte random hex string
openssl rand -hex 32
# Configure the generated secret in your Keto configuration
# Example configuration (keto.yaml):
# secrets:
# pagination:
# - "YOUR_GENERATED_SECURE_SECRET_HERE"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
