CVE-2026-32714
Published: 31 March 2026
Summary
CVE-2026-32714 is a critical-severity SQL Injection (CWE-89) vulnerability in Scitokens Scitokens Library. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validating and sanitizing user-supplied inputs such as issuer and key_id before use in SQL queries, directly preventing SQL injection exploitation in the KeyCache class.
Mandates timely identification, testing, and installation of software patches, such as upgrading SciTokens to version 1.9.6 to remediate the SQL injection flaw.
Requires vulnerability scanning to identify and report the SQL injection vulnerability in SciTokens deployments for subsequent remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection enables remote unauthenticated exploitation of exposed apps using the library (T1190) and direct access to cached keys/credentials in the SQLite DB (T1212).
NVD Description
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and…
more
key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6.
Deeper analysisAI
CVE-2026-32714 is a SQL injection vulnerability (CWE-89) in the KeyCache class of the SciTokens Python library, a reference implementation for generating and using SciTokens prior to version 1.9.6. The flaw arises from using Python's str.format() method to construct SQL queries with untrusted user-supplied inputs, such as issuer and key_id values, against a local SQLite database. This issue earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited remotely by unauthenticated attackers with network access and no user interaction required. By crafting malicious issuer or key_id inputs, attackers can inject and execute arbitrary SQL commands on the local SQLite database used by KeyCache, potentially allowing full read, modification, or deletion of cached key data.
The vulnerability has been patched in SciTokens version 1.9.6, as detailed in the project's GitHub security advisory (GHSA-rh5m-2482-966c), release notes, and the fixing commit (3dba108853f2f4a6c0f2325c03779bf083c41cf2). Security practitioners should upgrade to version 1.9.6 or later and review deployments using earlier versions of the library for exposure.
Details
- CWE(s)