{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ory-keto/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Keto"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","vulnerability","ory-keto","cve-2026-33505"],"_cs_type":"advisory","_cs_vendors":["Ory"],"content_html":"\u003cp\u003eOry Keto, an open-source authorization server designed for managing permissions at scale, is susceptible to a SQL injection vulnerability (CVE-2026-33505) affecting versions prior to 26.2.0. This vulnerability resides within the GetRelationships API due to insecure pagination token handling. The application uses a secret configured in \u003ccode\u003esecrets.pagination\u003c/code\u003e to encrypt pagination tokens. However, if this configuration is absent, it defaults to a publicly known hard-coded secret. An attacker who knows the secret can craft malicious pagination tokens, enabling SQL injection. This impacts organizations where the GetRelationships API is accessible, the attacker can inject a raw pagination token, and the \u003ccode\u003esecrets.pagination\u003c/code\u003e value is either not set or known. This allows an attacker to execute arbitrary SQL queries against the Ory Keto database, potentially compromising sensitive data and control over the authorization server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Ory Keto instance running a version prior to 26.2.0.\u003c/li\u003e\n\u003cli\u003eThe attacker determines that the \u003ccode\u003esecrets.pagination\u003c/code\u003e configuration value is not set on the target Ory Keto instance, enabling the default hardcoded secret.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL payload designed to be injected into the GetRelationships API.\u003c/li\u003e\n\u003cli\u003eThe attacker generates a valid-looking pagination token using the known default \u003ccode\u003esecrets.pagination\u003c/code\u003e secret, embedding the malicious SQL payload within the token.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the GetRelationships API with the forged pagination token.\u003c/li\u003e\n\u003cli\u003eThe Ory Keto application processes the request and decrypts the pagination token, unknowingly passing the malicious SQL payload to the database query.\u003c/li\u003e\n\u003cli\u003eThe database executes the attacker's SQL query.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or executes arbitrary database commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-33505) in Ory Keto can have severe consequences. An attacker could potentially gain unauthorized access to sensitive permission data, modify access control policies, or even compromise the entire authorization server. This can lead to privilege escalation, data breaches, and complete control over the systems relying on Ory Keto for authorization. The CVSS v3.1 base score for this vulnerability is rated as 7.2 (High), highlighting the significant risk it poses to organizations using affected versions of Ory Keto.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately configure a custom value for \u003ccode\u003esecrets.pagination\u003c/code\u003e by generating a cryptographically secure random secret to mitigate CVE-2026-33505.\u003c/li\u003e\n\u003cli\u003eUpgrade Keto to version 26.2.0 or later to patch CVE-2026-33505, addressing the underlying SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the GetRelationships API containing unusual pagination tokens to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the GetRelationships API to reduce the impact of potential SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-ory-keto-sql-injection/","summary":"Ory Keto versions prior to 26.2.0 are vulnerable to SQL injection via the GetRelationships API due to flaws in its pagination implementation, enabling attackers with knowledge of the pagination secret (or the default secret) to craft malicious tokens leading to arbitrary SQL query execution.","title":"Ory Keto SQL Injection Vulnerability via GetRelationships API (CVE-2026-33505)","url":"https://feed.craftedsignal.io/briefs/2024-01-ory-keto-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Ory-Keto","version":"https://jsonfeed.org/version/1.1"}