CVE-2026-33504

HIGH
2026-03-20 https://github.com/ory/hydra GHSA-r9w3-57w2-gch2
7.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 20, 2026 - 21:01 vuln.today
CVE Published
Mar 20, 2026 - 20:55 nvd
HIGH 7.2

Tags

SQLi OpenSSL

Description

## Description Following Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation: - listOAuth2Clients - listOAuth2ConsentSessions - listTrustedOAuth2JwtGrantIssuers Pagination tokens are encrypted using the secret configured in `secrets.pagination`. If this value is not set, Hydra falls back to using `secrets.system`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. ## Preconditions This issue can be exploited when the following conditions are met: - One or more **admin APIs** listed above are directly or indirectly accessible to the attacker - The attacker can pass a raw pagination token to the affected API - The configuration value `secrets.pagination` is set and known to the attacker, or `secrets.pagination` is not set and `secrets.system` is known to the attacker ## Impact An attacker can execute arbitrary SQL queries through forged pagination tokens. ## Mitigation As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret, for example: ``` openssl rand -base64 32 ``` Next, upgrade **Hydra** to the fixed version **as soon as possible**.

Analysis

Ory Hydra, an OAuth 2.0 and OpenID Connect provider, contains a SQL injection vulnerability in three admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, listTrustedOAuth2JwtGrantIssuers) due to insecure pagination token handling. Attackers who know the pagination secret can craft malicious encrypted tokens to execute arbitrary SQL queries. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all Ory Hydra instances in production and identify which version is deployed; verify whether pagination secrets have been rotated recently and audit access logs for the three vulnerable APIs. Within 7 days: Implement network segmentation to restrict admin API access to trusted internal networks only; deploy WAF rules to block suspicious pagination token patterns; and disable the three affected admin APIs if they are not actively used. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2026-33504 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy