CVE-2026-33503

Description

## Description The **ListCourierMessages** Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. ## Preconditions This issue can be exploited when the following conditions are met: - **ListCourierMessages API** is directly or indirectly accessible to the attacker - The attacker can pass a raw pagination token to the affected API - The configuration value `secrets.pagination` is not set or known to the attacker ## Impact An attacker can execute arbitrary SQL queries through forged pagination tokens. ## Mitigation As a first line of defense, **immediately** configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret, for example: ``` openssl rand -base64 32 ``` Next, upgrade **Kratos** to a fixed version **as soon as possible**.

Priority Score