Publish Advisories

GHSA-c38g-mx2c-9wf2
GHSA-hgx2-28f8-6g2r
GHSA-r9w3-57w2-gch2

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-c38g-mx2c-9wf2/GHSA-c38g-mx2c-9wf2.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c38g-mx2c-9wf2",
+  "modified": "2026-03-20T20:55:44Z",
+  "published": "2026-03-20T20:55:44Z",
+  "aliases": [
+    "CVE-2026-33505"
+  ],
+  "summary": "Ory Keto has a SQL injection via forged pagination tokens",
+  "details": "## Description\n\nThe **GetRelationships API** in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation.\n\nPagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Keto falls back to a hard-coded default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set.\n\n## Preconditions\n\nThis issue can be exploited when all of the following conditions are met:\n\n- **GetRelationships API** is directly or indirectly accessible to the attacker\n- The attacker can pass a raw pagination token to the affected API\n- The configuration value `secrets.pagination` is not set or known to the attacker\n\n## Impact\n\nAn attacker can execute arbitrary SQL queries through forged pagination tokens.\n\n## Mitigation\n\nAs a first line of defense, **immediately** configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret, for example:\n\n```\nopenssl rand -base64 32\n```\n\nNext, upgrade **Keto** to a fixed version **as soon as possible**.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/ory/keto"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.14.1-0.20260320140104-e4393662cd2e"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ory/keto/security/advisories/GHSA-c38g-mx2c-9wf2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ory/keto"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-20T20:55:44Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-hgx2-28f8-6g2r/GHSA-hgx2-28f8-6g2r.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hgx2-28f8-6g2r",
+  "modified": "2026-03-20T20:54:54Z",
+  "published": "2026-03-20T20:54:54Z",
+  "aliases": [
+    "CVE-2026-33503"
+  ],
+  "summary": "Ory Kratos has a SQL injection via forged pagination tokens",
+  "details": "## Description\n\nThe **ListCourierMessages** Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation.\n\nPagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set.\n\n## Preconditions\n\nThis issue can be exploited when the following conditions are met:\n\n- **ListCourierMessages API** is directly or indirectly accessible to the attacker\n- The attacker can pass a raw pagination token to the affected API\n- The configuration value `secrets.pagination` is not set or known to the attacker\n\n## Impact\n\nAn attacker can execute arbitrary SQL queries through forged pagination tokens.\n\n## Mitigation\n\nAs a first line of defense, **immediately** configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret, for example:\n\n```\nopenssl rand -base64 32\n```\n\nNext, upgrade **Kratos** to a fixed version **as soon as possible**.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/ory/kratos"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.1-0.20260320110106-9d7085948039"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ory/kratos/security/advisories/GHSA-hgx2-28f8-6g2r"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ory/kratos"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-20T20:54:54Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-r9w3-57w2-gch2/GHSA-r9w3-57w2-gch2.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r9w3-57w2-gch2",
+  "modified": "2026-03-20T20:55:04Z",
+  "published": "2026-03-20T20:55:04Z",
+  "aliases": [
+    "CVE-2026-33504"
+  ],
+  "summary": "Ory Hydra has a SQL injection via forged pagination tokens",
+  "details": "## Description\n\nFollowing Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation:\n\n- listOAuth2Clients\n- listOAuth2ConsentSessions\n- listTrustedOAuth2JwtGrantIssuers\n\nPagination tokens are encrypted using the secret configured in `secrets.pagination`. If this value is not set, Hydra falls back to using `secrets.system`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection.\n\n## Preconditions\n\nThis issue can be exploited when the following conditions are met:\n\n- One or more **admin APIs** listed above are directly or indirectly accessible to the attacker\n- The attacker can pass a raw pagination token to the affected API\n- The configuration value `secrets.pagination` is set and known to the attacker, or `secrets.pagination` is not set and `secrets.system` is known to the attacker\n\n## Impact\n\nAn attacker can execute arbitrary SQL queries through forged pagination tokens.\n\n## Mitigation\n\nAs a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret, for example:\n\n```\nopenssl rand -base64 32\n```\n\nNext, upgrade **Hydra** to the fixed version **as soon as possible**.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/ory/hydra"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.3.1-0.20260320110106-0b84568fffcc"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ory/hydra/security/advisories/GHSA-r9w3-57w2-gch2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ory/hydra"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-20T20:55:04Z",
+    "nvd_published_at": null
+  }
+}