CVE-2026-33505: Ory Keto has a SQL injection via forged pagination tokens

March 20, 2026

The GetRelationships API in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation.

Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Keto falls back to a hard-coded default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set.

References

github.com/advisories/GHSA-c38g-mx2c-9wf2
github.com/ory/keto
github.com/ory/keto/security/advisories/GHSA-c38g-mx2c-9wf2
nvd.nist.gov/vuln/detail/CVE-2026-33505

Code Behaviors & Features

Detect and mitigate CVE-2026-33505 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →