CVE-2026-33504: Ory Hydra has a SQL injection via forged pagination tokens

March 20, 2026

Following Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation:

listOAuth2Clients
listOAuth2ConsentSessions
listTrustedOAuth2JwtGrantIssuers

Pagination tokens are encrypted using the secret configured in secrets.pagination. If this value is not set, Hydra falls back to using secrets.system. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection.

References

github.com/advisories/GHSA-r9w3-57w2-gch2
github.com/ory/hydra
github.com/ory/hydra/security/advisories/GHSA-r9w3-57w2-gch2
nvd.nist.gov/vuln/detail/CVE-2026-33504

Code Behaviors & Features

Detect and mitigate CVE-2026-33504 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →