3 matches found
CVE-2020-5300
Hydra (Go-based OAuth2/OpenID provider) before version 1.4.0+oryOS.17 is affected when using client authentication with private_key_jwt because it does not enforce uniqueness of the JWT jti value, enabling potential token replay within the token’s expiry window. A patch is published in v1.4.0+ory...
CVE-2019-8400
ORY Hydra before v1.0.0-rc.3+oryOS.9 is affected by a Reflected XSS vulnerability in the oauth2/fallbacks/error error_hint parameter. The issue allows injection of arbitrary script via that parameter. No exploitation status or mitigations are provided in the excerpt; refer to the CVE entry and li...
CVE-2026-33504
Ory Hydra (OAuth 2.0 Server / OpenID Connect provider) contains a SQL injection flaw in admin APIs listed as listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers, prior to version 26.2.0. The issue arises from pagination token handling: tokens are signed/encrypted us...