Skip to main content

OpenSSL CVE-2026-33504

HIGH
SQL Injection (CWE-89)
2026-03-20 https://github.com/ory/hydra GHSA-r9w3-57w2-gch2
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 20, 2026 - 21:01 vuln.today
CVE Published
Mar 20, 2026 - 20:55 nvd
HIGH 7.2

DescriptionGitHub Advisory

Description

Following Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation:

  • listOAuth2Clients
  • listOAuth2ConsentSessions
  • listTrustedOAuth2JwtGrantIssuers

Pagination tokens are encrypted using the secret configured in secrets.pagination. If this value is not set, Hydra falls back to using secrets.system. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection.

Preconditions

This issue can be exploited when the following conditions are met:

  • One or more admin APIs listed above are directly or indirectly accessible to the attacker
  • The attacker can pass a raw pagination token to the affected API
  • The configuration value secrets.pagination is set and known to the attacker, or secrets.pagination is not set and secrets.system is known to the attacker

Impact

An attacker can execute arbitrary SQL queries through forged pagination tokens.

Mitigation

As a first line of defense, immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret, for example:

openssl rand -base64 32

Next, upgrade Hydra to the fixed version as soon as possible.

AnalysisAI

Ory Hydra, an OAuth 2.0 and OpenID Connect provider, contains a SQL injection vulnerability in three admin APIs (listOAuth2Clients, listOAuth2ConsentSessions, listTrustedOAuth2JwtGrantIssuers) due to insecure pagination token handling. Attackers who know the pagination secret can craft malicious encrypted tokens to execute arbitrary SQL queries. The CVSS score of 7.2 requires high privileges (PR:H), but successful exploitation grants full database access with high confidentiality, integrity, and availability impact.

Technical ContextAI

This vulnerability affects the Go-based Ory Hydra OAuth/OIDC server (pkg:go/github.com_ory_hydra). The root cause is CWE-89 (SQL Injection) in the pagination implementation where tokens are encrypted using secrets.pagination or secrets.system as a fallback. The flaw allows authenticated administrators or attackers with secret knowledge to bypass input sanitization by forging encrypted pagination tokens that contain SQL payloads. When these tokens are decrypted and processed by the admin APIs, the malicious SQL is executed against the backend database without proper parameterization or validation.

RemediationAI

Immediately generate a new cryptographically secure random secret using 'openssl rand -base64 32' and configure it as secrets.pagination in the Hydra configuration to prevent token forgery. Upgrade to the patched version of Ory Hydra as specified in the GitHub security advisory at https://github.com/ory/hydra/security/advisories/GHSA-r9w3-57w2-gch2 as soon as possible. As defense-in-depth measures, restrict network access to admin APIs to trusted IP ranges only, implement additional authentication/authorization layers before admin endpoints, rotate all existing pagination tokens after updating the secret, and audit database logs for suspicious queries that may indicate prior exploitation.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33504 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy