3 matches found
CVE-2026-33503 Ory Kratos has a SQL injection via forged pagination tokens
Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 26.2.0, the ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configur...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection in the listCourierMessages function in handler.go. An attacker in possession of the configured secrets.pagination with access to the ListCourierMessages API can execute arbitrary SQL queries by forging a pagination token...
PT-2026-26787
Name of the Vulnerable Software and Affected Versions Ory Kratos affected versions not specified Description The ListCourierMessages Admin API in Ory Kratos is susceptible to SQL injection because of issues in its pagination implementation. Pagination tokens are encrypted using a secret configure...