arrow-left Back to Announcements
DATE:
AUTHOR:
Ory Team
Ory Hydra Ory Kratos Ory Keto Ory Oathkeeper Ory Polis Ory Enterprise License

Security Advisory: Ory Kratos, Hydra, Keto, Oathkeeper, Polis v26.2.0

DATE:
AUTHOR: Ory Team

Ory Kratos

SQL injection via forged pagination tokens (CVE-2026-33503, High)

The ListCourierMessages Admin API is vulnerable to SQL injection through forged pagination tokens. An attacker who knows the pagination secret (or exploits the default fallback) can execute arbitrary SQL queries.

Fixed in v26.2.0. See GHSA-hgx2-28f8-6g2r for details and mitigation steps.

Ory Hydra

SQL injection via forged pagination tokens (CVE-2026-33504, High)

The listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs are vulnerable to SQL injection through forged pagination tokens. An attacker who knows the pagination or system secret can execute arbitrary SQL queries.

Fixed in v26.2.0. See GHSA-r9w3-57w2-gch2 for details and mitigation steps.

Ory Keto

SQL injection via forged pagination tokens (CVE-2026-33505, High)

The GetRelationships API is vulnerable to SQL injection through forged pagination tokens. An attacker who knows the pagination secret (or exploits the default fallback) can execute arbitrary SQL queries.

Fixed in v26.2.0. See GHSA-c38g-mx2c-9wf2 for details and mitigation steps.

Ory Polis

DOM-based XSS in login page (CVE-2026-33506, High)

The Polis admin login page passes the callbackUrl query parameter to router.push without validating the URL scheme. An attacker can craft a link with a javascript: URI that executes arbitrary code in the victim's browser after login. This could lead to credential theft or unauthorized actions performed on behalf of an admin.

Fixed in v26.2.0. See GHSA-3wjr-6gw8-9j22 for details and mitigation steps.

Ory Oathkeeper

Path traversal authorization bypass (CVE-2026-33494, Critical)

Oathkeeper evaluates access rules against the raw, un-normalized request path. An attacker can use path traversal sequences (e.g. /public/../admin/secrets) to bypass authentication rules. Oathkeeper now normalizes request paths before rule matching.

Fixed in v26.2.0. See GHSA-p224-6x5r-fjpm for details and mitigation steps.

Authentication bypass by cache key confusion (CVE-2026-33496, High)

The oauth2_introspection authenticator cache does not include the introspection server URL in the cache key. An attacker with a valid token for one introspection server can use the cached result to bypass authentication on rules that use a different introspection server.

Fixed in v26.2.0. See GHSA-4mq7-pvjg-xp2r for details and mitigation steps.

Authentication bypass via untrusted X-Forwarded-Proto header (CVE-2026-33495, Moderate)

Oathkeeper always considers the X-Forwarded-Proto header during rule matching, even when serve.proxy.trust_forwarded_headers is set to false. An attacker who can inject this header may trigger a different rule than intended.

Fixed in v26.2.0. See GHSA-vhr5-ggp3-qq85 for details and mitigation steps.

These fixes are now available on Ory Network, for the Ory Enterprise License, and are part of the latest Ory Open Source release.
We recommend upgrading as soon as possible.

Powered by LaunchNotes