CVE-2026-33503: Ory Kratos has a SQL injection via forged pagination tokens

March 20, 2026

The ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation.

Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Kratos falls back to a default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set.

References

github.com/advisories/GHSA-hgx2-28f8-6g2r
github.com/ory/kratos
github.com/ory/kratos/security/advisories/GHSA-hgx2-28f8-6g2r
nvd.nist.gov/vuln/detail/CVE-2026-33503

Code Behaviors & Features

Detect and mitigate CVE-2026-33503 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →