CVE-2026-33504

Name of the Vulnerable Software and Affected Versions Ory Hydra (affected versions not specified)

Description The Admin APIs – listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers – in Ory Hydra are susceptible to SQL injection due to flaws in the pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. If this value is not set, Hydra defaults to using secrets.system. An attacker with knowledge of either secrets.pagination or secrets.system can create malicious tokens that lead to SQL injection. An attacker can execute arbitrary SQL queries through these forged pagination tokens by passing a raw pagination token to the affected API endpoints.

Recommendations Configure a custom value for secrets.pagination by generating a cryptographically secure random secret, for example, using openssl rand -base64 32. Upgrade Hydra to the fixed version as soon as possible.