{"id":"GHSA-c38g-mx2c-9wf2","summary":"Ory Keto has a SQL injection via forged pagination tokens","details":"## Description\n\nThe **GetRelationships API** in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation.\n\nPagination tokens are encrypted using the secret configured in `secrets.pagination`. An attacker who knows this secret can craft their own tokens, including malicious tokens that lead to SQL injection. If this configuration value is not set, Keto falls back to a hard-coded default pagination encryption secret. Because this default value is publicly known, attackers can generate valid and malicious pagination tokens manually for installations where this secret is not set.\n\n## Preconditions\n\nThis issue can be exploited when all of the following conditions are met:\n\n- **GetRelationships API** is directly or indirectly accessible to the attacker\n- The attacker can pass a raw pagination token to the affected API\n- The configuration value `secrets.pagination` is not set or known to the attacker\n\n## Impact\n\nAn attacker can execute arbitrary SQL queries through forged pagination tokens.\n\n## Mitigation\n\nAs a first line of defense, **immediately** configure a custom value for `secrets.pagination` by generating a cryptographically secure random secret, for example:\n\n```\nopenssl rand -base64 32\n```\n\nNext, upgrade **Keto** to a fixed version **as soon as possible**.","aliases":["CVE-2026-33505","GO-2026-4800"],"modified":"2026-03-27T21:33:42.129221Z","published":"2026-03-20T20:55:44Z","database_specific":{"severity":"HIGH","cwe_ids":["CWE-89"],"github_reviewed":true,"github_reviewed_at":"2026-03-20T20:55:44Z","nvd_published_at":"2026-03-26T19:17:04Z"},"references":[{"type":"WEB","url":"https://github.com/ory/keto/security/advisories/GHSA-c38g-mx2c-9wf2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33505"},{"type":"PACKAGE","url":"https://github.com/ory/keto"}],"affected":[{"package":{"name":"github.com/ory/keto","ecosystem":"Go","purl":"pkg:golang/github.com/ory/keto"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.14.1-0.20260320140104-e4393662cd2e"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-c38g-mx2c-9wf2/GHSA-c38g-mx2c-9wf2.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}