Platform
python
Component
scitokens
Fixed in
1.9.7
1.9.6
CVE-2026-32714 describes a critical SQL Injection vulnerability discovered in the scitokens Python library. This flaw allows attackers to inject malicious SQL code into database queries, potentially leading to unauthorized data access or modification. The vulnerability affects versions of scitokens up to and including 1.8.1. A fix is available in version 1.9.6.
The SQL Injection vulnerability in scitokens arises from the insecure use of Python's str.format() function when constructing SQL queries. Specifically, the KeyCache class within src/scitokens/utils/keycache.py is vulnerable. An attacker can manipulate the issuer and key_id parameters passed to functions like addkeyinfo to inject arbitrary SQL commands. Successful exploitation could allow an attacker to read, modify, or delete sensitive data stored in the local SQLite database, including authentication tokens and configuration information. The potential impact extends to compromising the integrity and confidentiality of the application relying on scitokens.
CVE-2026-32714 was publicly disclosed on 2026-03-31. The vulnerability is considered highly exploitable due to the ease of crafting malicious SQL queries. Public proof-of-concept (POC) code is available, demonstrating the vulnerability's impact. The CVSS score of 9.8 (CRITICAL) reflects the severity of the vulnerability and the potential for widespread exploitation.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32714 is to upgrade to version 1.9.6 or later of the scitokens library. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation and sanitization should be applied to the issuer and key_id parameters before they are used in SQL queries. Using parameterized queries or an Object-Relational Mapper (ORM) that automatically handles escaping can also help prevent SQL Injection attacks. Review the src/scitokens/utils/keycache.py file for other potential vulnerabilities related to dynamic SQL construction.
Update the SciTokens library to version 1.9.6 or higher. This fixes the SQL Injection vulnerability by using str.format() to construct SQL queries with user-supplied data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32714 is a critical SQL Injection vulnerability in the scitokens Python library, allowing attackers to execute arbitrary SQL commands against the local SQLite database.
You are affected if you are using scitokens versions 1.8.1 or earlier. Upgrade to version 1.9.6 or later to resolve the vulnerability.
Upgrade to version 1.9.6 or later of the scitokens library. As a temporary workaround, implement input validation and sanitization for the issuer and key_id parameters.
While active exploitation is not confirmed, the vulnerability is considered highly exploitable and a public proof-of-concept exists, increasing the likelihood of exploitation.
Refer to the scitokens project's official security advisories and release notes for details: [https://github.com/scitokens/scitokens/releases](https://github.com/scitokens/scitokens/releases)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.