What is the CVSS score of CVE-2026-33503?

CVE-2026-33503 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of OpenSSL are affected by CVE-2026-33503?

Ory Kratos installations are vulnerable to SQL injection attacks through the Admin API, allowing authenticated attackers with admin privileges to execute arbitrary database queries.. A patch is available.

OpenSSL CVE-2026-33503

HIGH

SQL Injection (CWE-89)

2026-03-20 https://github.com/ory/kratos

GHSA-hgx2-28f8-6g2r

SQLi OpenSSL Suse

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 19:52 vuln.today

cvss_changed

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 20, 2026 - 21:01 vuln.today

CVE Published

Mar 20, 2026 - 20:54 nvd

HIGH 7.2

DescriptionNVD

Description

The ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation.

Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set.

Preconditions

This issue can be exploited when the following conditions are met:

ListCourierMessages API is directly or indirectly accessible to the attacker
The attacker can pass a raw pagination token to the affected API
The configuration value secrets.pagination is not set or known to the attacker

Impact

An attacker can execute arbitrary SQL queries through forged pagination tokens.

Mitigation

As a first line of defense, immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret, for example:

openssl rand -base64 32

Next, upgrade Kratos to a fixed version as soon as possible.

AnalysisAI

Ory Kratos, an open-source identity and user management system, contains a SQL injection vulnerability in its ListCourierMessages Admin API through malicious pagination tokens. Attackers who know or can exploit the default pagination encryption secret can craft tokens to execute arbitrary SQL queries against the backend database. …

RemediationAI

Within 24 hours: Audit admin account access logs and disable unused admin accounts; isolate Kratos Admin API from untrusted networks. Within 7 days: Implement Web Application Firewall (WAF) rules to block malicious pagination tokens and monitor for exploitation attempts; conduct security review of admin privilege assignments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-33503 vulnerability details – vuln.today

Back

OpenSSL CVE-2026-33503

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Description

Preconditions

Impact

Mitigation

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code