<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33505 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33505/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33505/feed.xml" rel="self" type="application/rss+xml"/><item><title>Ory Keto SQL Injection Vulnerability via GetRelationships API (CVE-2026-33505)</title><link>https://feed.craftedsignal.io/briefs/2024-01-ory-keto-sql-injection/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-ory-keto-sql-injection/</guid><description>Ory Keto versions prior to 26.2.0 are vulnerable to SQL injection via the GetRelationships API due to flaws in its pagination implementation, enabling attackers with knowledge of the pagination secret (or the default secret) to craft malicious tokens leading to arbitrary SQL query execution.</description><content:encoded><![CDATA[<p>Ory Keto, an open-source authorization server designed for managing permissions at scale, is susceptible to a SQL injection vulnerability (CVE-2026-33505) affecting versions prior to 26.2.0. This vulnerability resides within the GetRelationships API due to insecure pagination token handling. The application uses a secret configured in <code>secrets.pagination</code> to encrypt pagination tokens. However, if this configuration is absent, it defaults to a publicly known hard-coded secret. An attacker who knows the secret can craft malicious pagination tokens, enabling SQL injection. This impacts organizations where the GetRelationships API is accessible, the attacker can inject a raw pagination token, and the <code>secrets.pagination</code> value is either not set or known. This allows an attacker to execute arbitrary SQL queries against the Ory Keto database, potentially compromising sensitive data and control over the authorization server.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies an Ory Keto instance running a version prior to 26.2.0.</li>
<li>The attacker determines that the <code>secrets.pagination</code> configuration value is not set on the target Ory Keto instance, enabling the default hardcoded secret.</li>
<li>The attacker crafts a malicious SQL payload designed to be injected into the GetRelationships API.</li>
<li>The attacker generates a valid-looking pagination token using the known default <code>secrets.pagination</code> secret, embedding the malicious SQL payload within the token.</li>
<li>The attacker sends a request to the GetRelationships API with the forged pagination token.</li>
<li>The Ory Keto application processes the request and decrypts the pagination token, unknowingly passing the malicious SQL payload to the database query.</li>
<li>The database executes the attacker's SQL query.</li>
<li>The attacker gains unauthorized access to sensitive information or executes arbitrary database commands.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SQL injection vulnerability (CVE-2026-33505) in Ory Keto can have severe consequences. An attacker could potentially gain unauthorized access to sensitive permission data, modify access control policies, or even compromise the entire authorization server. This can lead to privilege escalation, data breaches, and complete control over the systems relying on Ory Keto for authorization. The CVSS v3.1 base score for this vulnerability is rated as 7.2 (High), highlighting the significant risk it poses to organizations using affected versions of Ory Keto.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately configure a custom value for <code>secrets.pagination</code> by generating a cryptographically secure random secret to mitigate CVE-2026-33505.</li>
<li>Upgrade Keto to version 26.2.0 or later to patch CVE-2026-33505, addressing the underlying SQL injection vulnerability.</li>
<li>Monitor web server logs for suspicious requests to the GetRelationships API containing unusual pagination tokens to detect potential exploitation attempts.</li>
<li>Implement rate limiting on the GetRelationships API to reduce the impact of potential SQL injection attacks.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>sql-injection</category><category>vulnerability</category><category>ory-keto</category><category>cve-2026-33505</category></item></channel></rss>