CVE-2026-32714 CRITICAL

CVE-2026-32714: SciTokens vulnerable to SQL Injection in KeyCache

Vendor Scitokens
Product scitokens
Weakness CWE-89 · SQLi
Published March 31, 2026
Last update March 31, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
March 31, 2026 Record updated