CVE-2026-33505

HIGH
2026-03-20 https://github.com/ory/keto GHSA-c38g-mx2c-9wf2
7.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 20, 2026 - 21:01 vuln.today
CVE Published
Mar 20, 2026 - 20:55 nvd
HIGH 7.2

Tags

SQLi OpenSSL

Description

## Description The **GetRelationships API** in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Keto falls back to a hard-coded default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set. ## Preconditions This issue can be exploited when all of the following conditions are met: - **GetRelationships API** is directly or indirectly accessible to the attacker - The attacker can pass a raw pagination token to the affected API - The configuration value `secrets.pagination` is not set or known to the attacker ## Impact An attacker can execute arbitrary SQL queries through forged pagination tokens. ## Mitigation As a first line of defense, **immediately** configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret, for example: ``` openssl rand -base64 32 ``` Next, upgrade **Keto** to a fixed version **as soon as possible**.

Analysis

Ory Keto, an open-source authorization service, contains a SQL injection vulnerability in its GetRelationships API due to insecure pagination token handling. Attackers who know or can exploit the default hard-coded pagination encryption secret can craft malicious tokens to execute arbitrary SQL queries. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Audit all Ory Keto instances to identify those using default pagination encryption secrets and immediately rotate these secrets in non-production environments. Within 7 days: Complete secret rotation across all production Ory Keto deployments and implement network-level access controls restricting the GetRelationships API endpoint. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2026-33505 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy