CVE-2026-32714
SQL Injection in SciTokens KeyCache Allows Arbitrary SQL Execution
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| scitokens | scitokens_library | to 1.9.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32714 is a critical SQL Injection vulnerability in the KeyCache class of the SciTokens library. The vulnerability occurs because the code used Python's string formatting method to construct SQL queries with user-supplied inputs such as issuer and key_id. This unsafe practice allowed attackers to inject arbitrary SQL commands into the local SQLite database.
Specifically, the vulnerable code constructed SQL statements by embedding user inputs directly into the query strings, which could be manipulated to alter or delete unintended data in the database. The issue was fixed by changing the code to use parameterized SQL queries, which treat user inputs strictly as data, preventing them from being executed as SQL commands.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing an attacker to modify or delete cache entries in the local SQLite database used by SciTokens. For example, an attacker could clear the entire key cache or inject malicious keys.
Additionally, if SQLite extensions are enabled, attackers might leak sensitive information by querying other tables or system data. In some configurations, it could even lead to Remote Code Execution (RCE) by exploiting features like ATTACH DATABASE to write malicious files.
The vulnerability has a high severity rating with a CVSS score of 9.8, indicating it is easy to exploit remotely without any privileges or user interaction, and it impacts confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection in the KeyCache class of the scitokens package, specifically in the way SQL queries are constructed using Python's str.format() with user-supplied inputs like issuer and key_id.
To detect this vulnerability on your system, you can check the version of the scitokens package installed. Versions prior to 1.9.6 are vulnerable.
Additionally, you can audit the source code or runtime behavior to see if SQL queries in keycache.py use string formatting for SQL commands instead of parameterized queries.
While no direct network detection commands are provided, you can look for suspicious SQL commands or unexpected deletions in the local SQLite database used by scitokens.
Suggested commands include:
- Check scitokens version: `pip show scitokens` or `scitokens --version`
- Inspect the keycache.py file for usage of str.format() in SQL queries, e.g., `grep -E "\.format\(|f'" keycache.py`
- Monitor the SQLite database file used by scitokens for unexpected changes or deletions, e.g., using `sqlite3` CLI to query the keycache table: `sqlite3 path_to_cache.db "SELECT * FROM keycache;"`
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the scitokens package to version 1.9.6 or later, where the vulnerability has been patched.
The patch replaces unsafe string formatting in SQL queries with parameterized queries using placeholders, preventing SQL injection.
If upgrading immediately is not possible, avoid using or exposing interfaces that accept untrusted inputs for issuer or key_id parameters.
Review and restrict access to the local SQLite database to prevent unauthorized manipulation.
Implement monitoring to detect suspicious SQL activity or unexpected cache modifications.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the SciTokens KeyCache class allows an attacker to execute arbitrary SQL commands against the local SQLite database, potentially modifying, deleting, or leaking sensitive data.
Such unauthorized access and manipulation of data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality, integrity, and availability of personal and sensitive information.
Because the vulnerability enables high impact on confidentiality, integrity, and availability (as indicated by the CVSS score of 9.8), affected systems may fail to comply with these standards if the vulnerability is exploited.
Mitigation by patching to version 1.9.6, which uses parameterized SQL queries, is essential to maintain compliance and prevent potential data breaches.