CVE-2026-32714
Received Received - Intake
SQL Injection in SciTokens KeyCache Allows Arbitrary SQL Execution

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32714
EUVD
EUVD-2026-17293
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
scitokens scitokens_library to 1.9.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32714 is a critical SQL Injection vulnerability in the KeyCache class of the SciTokens library. The vulnerability occurs because the code used Python's string formatting method to construct SQL queries with user-supplied inputs such as issuer and key_id. This unsafe practice allowed attackers to inject arbitrary SQL commands into the local SQLite database.

Specifically, the vulnerable code constructed SQL statements by embedding user inputs directly into the query strings, which could be manipulated to alter or delete unintended data in the database. The issue was fixed by changing the code to use parameterized SQL queries, which treat user inputs strictly as data, preventing them from being executed as SQL commands.

Impact Analysis

This vulnerability can have severe impacts including allowing an attacker to modify or delete cache entries in the local SQLite database used by SciTokens. For example, an attacker could clear the entire key cache or inject malicious keys.

Additionally, if SQLite extensions are enabled, attackers might leak sensitive information by querying other tables or system data. In some configurations, it could even lead to Remote Code Execution (RCE) by exploiting features like ATTACH DATABASE to write malicious files.

The vulnerability has a high severity rating with a CVSS score of 9.8, indicating it is easy to exploit remotely without any privileges or user interaction, and it impacts confidentiality, integrity, and availability.

Detection Guidance

This vulnerability involves SQL injection in the KeyCache class of the scitokens package, specifically in the way SQL queries are constructed using Python's str.format() with user-supplied inputs like issuer and key_id.

To detect this vulnerability on your system, you can check the version of the scitokens package installed. Versions prior to 1.9.6 are vulnerable.

Additionally, you can audit the source code or runtime behavior to see if SQL queries in keycache.py use string formatting for SQL commands instead of parameterized queries.

While no direct network detection commands are provided, you can look for suspicious SQL commands or unexpected deletions in the local SQLite database used by scitokens.

Suggested commands include:

  • Check scitokens version: `pip show scitokens` or `scitokens --version`
  • Inspect the keycache.py file for usage of str.format() in SQL queries, e.g., `grep -E "\.format\(|f'" keycache.py`
  • Monitor the SQLite database file used by scitokens for unexpected changes or deletions, e.g., using `sqlite3` CLI to query the keycache table: `sqlite3 path_to_cache.db "SELECT * FROM keycache;"`
Mitigation Strategies

The primary mitigation is to upgrade the scitokens package to version 1.9.6 or later, where the vulnerability has been patched.

The patch replaces unsafe string formatting in SQL queries with parameterized queries using placeholders, preventing SQL injection.

If upgrading immediately is not possible, avoid using or exposing interfaces that accept untrusted inputs for issuer or key_id parameters.

Review and restrict access to the local SQLite database to prevent unauthorized manipulation.

Implement monitoring to detect suspicious SQL activity or unexpected cache modifications.

Compliance Impact

The vulnerability in the SciTokens KeyCache class allows an attacker to execute arbitrary SQL commands against the local SQLite database, potentially modifying, deleting, or leaking sensitive data.

Such unauthorized access and manipulation of data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality, integrity, and availability of personal and sensitive information.

Because the vulnerability enables high impact on confidentiality, integrity, and availability (as indicated by the CVSS score of 9.8), affected systems may fail to comply with these standards if the vulnerability is exploited.

Mitigation by patching to version 1.9.6, which uses parameterized SQL queries, is essential to maintain compliance and prevent potential data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32714. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart