{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ory-kratos/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ory-kratos","sql-injection","cve-2026-33503","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOry Kratos, an identity, user management, and authentication system for cloud services, is vulnerable to SQL injection in versions prior to 26.2.0. The vulnerability resides within the ListCourierMessages Admin API and stems from flaws in its pagination implementation. The pagination tokens are encrypted using a secret configured in \u003ccode\u003esecrets.pagination\u003c/code\u003e. Attackers who obtain this secret can forge malicious tokens, leading to SQL injection attacks. Critically, if this configuration value remains unset, Kratos defaults to a publicly known pagination encryption secret. This allows attackers to manually generate valid malicious pagination tokens for vulnerable installations. Defenders should immediately configure a custom value for \u003ccode\u003esecrets.pagination\u003c/code\u003e using a cryptographically secure random secret and upgrade Kratos to version 26.2.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Ory Kratos instance running a version prior to 26.2.0.\u003c/li\u003e\n\u003cli\u003eAttacker checks the Kratos configuration to determine if \u003ccode\u003esecrets.pagination\u003c/code\u003e is set.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003esecrets.pagination\u003c/code\u003e is not set, the attacker leverages the publicly known default pagination encryption secret.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious pagination token containing SQL injection payloads. This token exploits the vulnerable pagination logic in the \u003ccode\u003eListCourierMessages\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003eAttacker sends a request to the \u003ccode\u003e/admin/courier/messages\u003c/code\u003e endpoint with the crafted pagination token in the \u003ccode\u003epage_token\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe Kratos application processes the malicious token, leading to the execution of arbitrary SQL queries against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe SQL injection allows the attacker to potentially read, modify, or delete sensitive data within the Kratos database, including user credentials, configuration settings, or other confidential information.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised data for further attacks, such as account takeover or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to complete compromise of the Ory Kratos instance. This can result in unauthorized access to user accounts, disclosure of sensitive information, and potential data manipulation or deletion. The severity is high due to the potential for significant data breach and service disruption impacting all users managed by the compromised Kratos instance. The number of victims depends on the size and user base of the affected Ory Kratos deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately configure a custom value for \u003ccode\u003esecrets.pagination\u003c/code\u003e by generating a cryptographically secure random secret within your Ory Kratos configuration (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eUpgrade Ory Kratos to version 26.2.0 or later to patch the SQL injection vulnerability (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/admin/courier/messages\u003c/code\u003e endpoint containing unusually long or malformed \u003ccode\u003epage_token\u003c/code\u003e parameters (create a custom rule based on this behavior).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests with suspicious SQL syntax in the \u003ccode\u003epage_token\u003c/code\u003e parameter targeting the \u003ccode\u003e/admin/courier/messages\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T18:16:30Z","date_published":"2026-03-26T18:16:30Z","id":"/briefs/2024-01-ory-kratos-sqli/","summary":"A SQL injection vulnerability exists in the ListCourierMessages Admin API of Ory Kratos versions prior to 26.2.0 due to flaws in its pagination implementation, allowing attackers to craft malicious tokens if the pagination secret is known or the default secret is used.","title":"Ory Kratos SQL Injection Vulnerability in ListCourierMessages API","url":"https://feed.craftedsignal.io/briefs/2024-01-ory-kratos-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Ory-Kratos","version":"https://jsonfeed.org/version/1.1"}