Skip to main content

OpenSSL CVE-2026-33503

HIGH
SQL Injection (CWE-89)
2026-03-20 https://github.com/ory/kratos GHSA-hgx2-28f8-6g2r
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 17, 2026 - 19:52 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 20, 2026 - 21:01 vuln.today
CVE Published
Mar 20, 2026 - 20:54 nvd
HIGH 7.2

DescriptionGitHub Advisory

Description

The ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation.

Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set.

Preconditions

This issue can be exploited when the following conditions are met:

  • ListCourierMessages API is directly or indirectly accessible to the attacker
  • The attacker can pass a raw pagination token to the affected API
  • The configuration value secrets.pagination is not set or known to the attacker

Impact

An attacker can execute arbitrary SQL queries through forged pagination tokens.

Mitigation

As a first line of defense, immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret, for example:

openssl rand -base64 32

Next, upgrade Kratos to a fixed version as soon as possible.

AnalysisAI

Ory Kratos, an open-source identity and user management system, contains a SQL injection vulnerability in its ListCourierMessages Admin API through malicious pagination tokens. Attackers who know or can exploit the default pagination encryption secret can craft tokens to execute arbitrary SQL queries against the backend database. The vulnerability requires high privileges (PR:H) but is network-exploitable (AV:N) with low complexity (AC:L), scoring CVSS 7.2.

Technical ContextAI

The vulnerability affects Ory Kratos (pkg:go/github.com_ory_kratos), a Go-based identity management solution. The root cause is CWE-89 (SQL Injection) in the pagination token handling mechanism of the ListCourierMessages Admin API. Pagination tokens are encrypted using a secret configured in 'secrets.pagination', but when this value is not set, Kratos falls back to a publicly known default encryption secret. Because the encryption secret can be known or guessed, attackers can forge pagination tokens containing SQL injection payloads that are decrypted and executed without proper sanitization. This represents a classic case of insufficient input validation combined with insecure default configuration, where the application trusts user-controlled data (the pagination token) after decryption without validating its content for SQL metacharacters.

RemediationAI

Immediately configure a custom cryptographically secure random secret for the secrets.pagination configuration value using a command such as 'openssl rand -base64 32' to generate a 32-byte random secret. This mitigation prevents attackers from forging pagination tokens even before upgrading. Next, upgrade Ory Kratos to the latest patched version as soon as possible, with specific version information available in the official security advisory at https://github.com/ory/kratos/security/advisories/GHSA-hgx2-28f8-6g2r. As additional defense-in-depth measures, restrict network access to the ListCourierMessages Admin API to only trusted administrative networks or IP ranges, implement strong authentication and authorization controls for Admin API access, and monitor database query logs for suspicious SQL patterns that may indicate exploitation attempts.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy