CVE-2026-32714

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32714
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2 Patch
https://github.com/scitokens/scitokens/releases/tag/v1.9.6 Release Notes
https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c Exploit Vendor Advisory
https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:scitokens:scitokens_library:*:*:*:*:*:*:*:*
History

03 Apr 2026, 18:01

Type Values Removed Values Added
References () https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2 - () https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2 - Patch
References () https://github.com/scitokens/scitokens/releases/tag/v1.9.6 - () https://github.com/scitokens/scitokens/releases/tag/v1.9.6 - Release Notes
References () https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c - () https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c - Exploit, Vendor Advisory
CPE cpe:2.3:a:scitokens:scitokens_library:*:*:*:*:*:*:*:*
First Time Scitokens
Scitokens scitokens Library

31 Mar 2026, 15:16

Type Values Removed Values Added
References () https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c - () https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c -
Summary
  • (es) SciTokens es una biblioteca de referencia para generar y usar SciTokens. Antes de la versión 1.9.6, la clase KeyCache en scitokens era vulnerable a la inyección SQL porque utilizaba str.format() de Python para construir consultas SQL con datos proporcionados por el usuario (como issuer y key_id). Esto permitía a un atacante ejecutar comandos SQL arbitrarios contra la base de datos SQLite local. Este problema ha sido parcheado en la versión 1.9.6.

31 Mar 2026, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-31 03:15

Updated : 2026-04-03 18:01

NVD link : CVE-2026-32714

Mitre link : CVE-2026-32714

CVE.ORG link : CVE-2026-32714

JSON object : View

Products Affected

scitokens

  • scitokens_library
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')