What is the SciTokens authorization bypass vulnerability?

The SciTokens authorization bypass vulnerability (CVE-2026-32716) occurs because the `Enforcer` uses a simple prefix match when validating scope paths. This allows a token with access to `/john` to also access `/johnathan`, leading to unauthorized access.

What is the SciTokens SQL injection vulnerability?

The SciTokens SQL injection vulnerability (CVE-2026-32714) exists in the `KeyCache` class. It arises from using Python's `str.format()` to construct SQL queries with user-supplied data, enabling attackers to execute arbitrary SQL commands.

How do I fix the SciTokens vulnerabilities?

To fix both the authorization bypass (CVE-2026-32716) and SQL injection (CVE-2026-32714) vulnerabilities, upgrade SciTokens to version 1.9.6 or later using the command `pip install --upgrade scitokens`.

What are the potential impacts of the SciTokens vulnerabilities?

The authorization bypass can lead to unauthorized access to resources, while the SQL injection vulnerability can allow attackers to modify or delete cache entries, potentially leading to information leakage or even remote code execution in certain configurations.

NextGuard

Back to blog

CVSS 9.8CVE-2026-32716CVE-2026-32714

SciTokens Auth Bypass and SQL Injection Vulnerabilities

Critical vulnerabilities in SciTokens <= 1.8.1: authorization bypass via scope path prefix & SQL injection. Upgrade to 1.9.6 now. #SITE_NAME# coverage.

Published on April 3, 2026

Two critical vulnerabilities have been discovered in SciTokens versions 1.8.1 and earlier: an authorization bypass due to incorrect scope path prefix checking and an SQL injection vulnerability in the KeyCache. These flaws could allow unauthorized access and arbitrary SQL command execution. Users are urged to upgrade to version 1.9.6 immediately.

Both vulnerabilities have high severity, with CVSS scores of 8.1 and 9.8, indicating significant potential for exploitation.

What is Scitokens?

Scitokens is a Python library designed for creating and validating tokens, particularly in scientific computing environments. It provides a way to manage authorization and access control for distributed resources. The library is used to generate tokens with specific scopes, defining what actions a user or service is allowed to perform. To learn more, search all scitokens CVEs.

CVE-2026-32716: SciTokens Authorization Bypass Vulnerability

CVSS8.1

Affected versionsThis vulnerability affects SciTokens versions 1.8.1 and earlier. Any system using SciTokens for authorization is potentially at risk.

High severity: Allows unauthorized access to protected resources.

EPSS score of 0.027 indicates a low probability of exploitation.

The `Enforcer` in SciTokens incorrectly validates scope paths by using a simple prefix match. This allows a token with access to a specific path to also access sibling paths that share the same prefix, leading to an authorization bypass.

How to fix CVE-2026-32716 in SciTokens

Patch immediately

1.Upgrade SciTokens to version 1.9.6 or later.

Upgrade SciTokens

pip install --upgrade scitokens

Verify with:

verify

pip show scitokens

Workaround: There are no known workarounds besides upgrading.

NextGuard automatically flags CVE-2026-32716 if SciTokens appears in any of your monitored projects — no manual lookup required.

CVE-2026-32714: SciTokens SQL Injection Vulnerability

CVSS9.8

Affected versionsThis vulnerability affects SciTokens versions 1.8.1 and earlier. Any application using the `KeyCache` class with untrusted input is vulnerable.

Critical severity: Allows arbitrary SQL command execution.

EPSS score of 0.029 indicates a low probability of exploitation.

The `KeyCache` class in SciTokens is vulnerable to SQL Injection because it uses Python's `str.format()` to construct SQL queries with user-supplied data. An attacker could execute arbitrary SQL commands against the local SQLite database.

How to fix CVE-2026-32714 in SciTokens

Patch immediately

1.Upgrade SciTokens to version 1.9.6 or later.

Upgrade SciTokens

pip install --upgrade scitokens

Verify with:

verify

pip show scitokens

Workaround: There are no known workarounds besides upgrading.

NextGuard automatically flags CVE-2026-32714 if SciTokens appears in any of your monitored projects — no manual lookup required.

Stay ahead of Python vulnerabilities

Proactively detect and respond to security threats in your Python projects. Monitor your python dependencies with real-time alerts and comprehensive vulnerability data.

Compare Plans

Frequently asked questions

These vulnerabilities pose a significant risk to applications using SciTokens. Ensure you upgrade to version 1.9.6 as soon as possible and see all python vulnerabilities for further information.