It's always a great realization when you discover your datastore doesn't actually check who's asking, and your auth service blindly trusts whatever token you hand it.
๐๏ธ Zero-Auth etcd Compaction
If you run a standalone etcd cluster with native auth enabled, you might have a massive hole in your network exposure. An authorization bypass flaw allows completely unauthenticated clients to walk right past the bouncer on certain gRPC endpoints.
Any random client hitting these exposed ports can interfere with your leases, maliciously trigger cluster compaction, and ultimately DoS the entire data store. Fortunately, standard Kubernetes setups dodge this because the K8s API server handles authentication natively. If you run standalone etcd, you need to tightly firewall your network ports immediately and update to version 3.5.28+.
๐ SQL Injection via Page Numbers
Who knew fetching a paginated list could be a critical attack vector? Ory Keto has a trivial SQL injection vulnerability sitting directly inside its GetRelationships API.
If you didn't explicitly configure a custom `secrets.pagination` value in your deployment, Keto will accept forged pagination tokens. This lets an attacker pass malicious SQL payloads right through the API and dump your entire authorization database. Stop relying on default configurations. Explicitly set and rotate the `secrets.pagination` value in your Keto config right now, and read the Ory Keto advisory to verify your exposure.