CVE-2026-33505

Name of the Vulnerable Software and Affected Versions Ory Keto (affected versions not specified)

Description The GetRelationships API in Ory Keto is susceptible to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If the secrets.pagination configuration value is not set, Keto defaults to a publicly known, hard-coded pagination encryption secret, allowing attackers to generate valid and malicious pagination tokens. An attacker can execute arbitrary SQL queries through these forged pagination tokens. The API endpoint vulnerable is /relationships.

Recommendations Immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret, for example, using openssl rand -base64 32. Upgrade Keto to a fixed version as soon as possible.