CVE-2026-32714: SciTokens is vulnerable to SQL Injection in KeyCache
The KeyCache class in scitokens was vulnerable to SQL Injection because it used Python’s str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database.
Ran the POC below locally.
References
- github.com/advisories/GHSA-rh5m-2482-966c
- github.com/scitokens/scitokens
- github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2
- github.com/scitokens/scitokens/releases/tag/v1.9.6
- github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c
- nvd.nist.gov/vuln/detail/CVE-2026-32714
Code Behaviors & Features
Detect and mitigate CVE-2026-32714 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →