CVE-2026-33504

Description

## Description Following Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation: - listOAuth2Clients - listOAuth2ConsentSessions - listTrustedOAuth2JwtGrantIssuers Pagination tokens are encrypted using the secret configured in `secrets.pagination`. If this value is not set, Hydra falls back to using `secrets.system`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. ## Preconditions This issue can be exploited when the following conditions are met: - One or more **admin APIs** listed above are directly or indirectly accessible to the attacker - The attacker can pass a raw pagination token to the affected API - The configuration value `secrets.pagination` is set and known to the attacker, or `secrets.pagination` is not set and `secrets.system` is known to the attacker ## Impact An attacker can execute arbitrary SQL queries through forged pagination tokens. ## Mitigation As a first line of defense, immediately configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret, for example: ``` openssl rand -base64 32 ``` Next, upgrade **Hydra** to the fixed version **as soon as possible**.

Affected packages (4)

• Go/github.com/ory/hydrafrom 0, <= 1.11.10
• Go/github.com/ory/hydrafrom 0
• Go/github.com/ory/hydra/v2from 0, < 2.3.1-0.20260320110106-0b84568fffcc
• Go/github.com/ory/hydra/v2from 0, < 2.3.1-0.20260320110106-0b84568fffcc

CVSS scores

References (3)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33504
• PATCHhttps://github.com/ory/hydra
• WEBhttps://github.com/ory/hydra/security/advisories/GHSA-r9w3-57w2-gch2