SciTokens ist anfällig für (SQL Injection) in KeyCache

The SQL Injection vulnerability in scitokens allows an attacker to directly manipulate database queries. By injecting malicious SQL code through the issuer and key_id parameters, an attacker can bypass authentication mechanisms, read sensitive data stored in the SQLite database (such as user credentials, API keys, or configuration information), modify existing data, or even execute arbitrary commands on the underlying system if the database user has sufficient privileges. The impact is particularly severe because the vulnerability resides within a core component responsible for key management, potentially compromising the entire application's security posture. This vulnerability shares similarities with other SQL Injection exploits where user input is directly incorporated into SQL queries without proper sanitization.

Applications that rely on the scitokens library for authentication or authorization, particularly those using SQLite as their database backend, are at risk. Systems with older, unpatched versions of scitokens are especially vulnerable. Development environments and testing systems using scitokens should also be prioritized for patching.

• python / library:

import os
import sqlite3

def check_scitokens_version():
    try:
        import scitokens
        version = scitokens.__version__
        if version <= '1.8.1':
            print(f"scitokens version is vulnerable: {version}")
        else:
            print(f"scitokens version is patched: {version}")
    except ImportError:
        print("scitokens is not installed.")

check_scitokens_version()

• python / file: Examine src/scitokens/utils/keycache.py for instances of str.format() used with user-supplied data in SQL queries. • generic web: Monitor application logs for unusual SQL errors or database activity that might indicate an attempted SQL Injection attack.

1. 2026-03-31Disclosure

   disclosure

2. 2026-03-31PoC

   poc

3. 2026-03-31Patch

   patch

1. Reserviert2026-03-13
2. Veröffentlicht2026-03-31
3. EPSS aktualisiert2026-04-07

The primary mitigation for CVE-2026-32714 is to immediately upgrade scitokens to version 1.9.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include input validation and sanitization of the issuer and keyid parameters before they are used in SQL queries. While not a complete solution, this can reduce the attack surface. Additionally, restrict database user privileges to the minimum necessary for the application to function. Monitor database logs for suspicious SQL queries that may indicate an attempted exploitation. After upgrading, confirm the fix by attempting to inject a simple SQL statement (e.g., ' OR '1'='1) into the issuer or keyid parameters and verifying that it does not result in unauthorized data access.