What is the CVSS score of CVE-2026-33505?

CVE-2026-33505 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of OpenSSL are affected by CVE-2026-33505?

Ory Keto deployments using default encryption secrets are vulnerable to SQL injection attacks through the GetRelationships API, potentially allowing unauthorized data access or manipulation.. A patch is available.

OpenSSL CVE-2026-33505

HIGH

SQL Injection (CWE-89)

2026-03-20 https://github.com/ory/keto

GHSA-c38g-mx2c-9wf2

SQLi OpenSSL Suse

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 19:52 vuln.today

cvss_changed

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 20, 2026 - 21:01 vuln.today

CVE Published

Mar 20, 2026 - 20:55 nvd

HIGH 7.2

DescriptionNVD

Description

The GetRelationships API in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation.

Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Keto falls back to a hard-coded default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set.

Preconditions

This issue can be exploited when all of the following conditions are met:

GetRelationships API is directly or indirectly accessible to the attacker
The attacker can pass a raw pagination token to the affected API
The configuration value secrets.pagination is not set or known to the attacker

Impact

An attacker can execute arbitrary SQL queries through forged pagination tokens.

Mitigation

As a first line of defense, immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret, for example:

openssl rand -base64 32

Next, upgrade Keto to a fixed version as soon as possible.

AnalysisAI

Ory Keto, an open-source authorization service, contains a SQL injection vulnerability in its GetRelationships API due to insecure pagination token handling. Attackers who know or can exploit the default hard-coded pagination encryption secret can craft malicious tokens to execute arbitrary SQL queries. …

RemediationAI

Within 24 hours: Audit all Ory Keto instances to identify those using default pagination encryption secrets and immediately rotate these secrets in non-production environments. Within 7 days: Complete secret rotation across all production Ory Keto deployments and implement network-level access controls restricting the GetRelationships API endpoint. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-33505 vulnerability details – vuln.today

Back

OpenSSL CVE-2026-33505

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Description

Preconditions

Impact

Mitigation

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code