Executive Summary
A critical SQL injection vulnerability (CVE-2026-32714) has been disclosed in the SciTokens Python reference library, a widely used authentication token system for scientific computing platforms. The vulnerability carries a CVSS score of 9.8 (Critical) and stems from the use of Python's str.format() method to construct SQL queries with user-supplied input in the KeyCache class, enabling attackers to inject arbitrary SQL and compromise the authentication backend.
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
All SciTokens versions prior to 1.9.6 are affected. Maintainers have released a patch in version 1.9.6, and all users of the library should upgrade immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-32714 |
| CVSS Score | 9.8 (Critical) |
| Type | SQL Injection (CWE-89) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality / Integrity / Availability | High / High / High |
| Published | 2026-03-31 |
| Fixed in | SciTokens v1.9.6 |
Affected Products
| Product | Affected Versions | Fixed Version |
|---|---|---|
| SciTokens Python library | All versions < 1.9.6 | 1.9.6 |
SciTokens is used across research computing and high-throughput scientific workflows, including HEP (High-Energy Physics), XSEDE/ACCESS infrastructure, and distributed computing frameworks that rely on capability-based authorization.
Technical Details
Root Cause
The vulnerability exists in the KeyCache class within the SciTokens library. The class is responsible for caching public keys used during token validation. When constructing SQL queries to look up or store cached key material, the code uses Python's str.format() method with user-controlled input:
# VULNERABLE pattern (prior to 1.9.6)
query = "SELECT * FROM key_cache WHERE issuer='{}' AND key_id='{}'".format(
issuer, key_id
)
cursor.execute(query)Both the issuer and key_id values are derived from the SciToken being validated — values that can be fully controlled by the token presenter. Because these values are interpolated directly into the SQL string without sanitization or parameterization, an attacker can craft a token with a malicious issuer or key_id claim to inject arbitrary SQL.
Exploitation Example
An attacker could craft a SciToken with an issuer value such as:
https://malicious.example.org'; DROP TABLE key_cache; --
Or extract sensitive data via UNION-based injection:
https://legit.example.org' UNION SELECT username, password, NULL FROM users --
Because the query is executed directly with the injected value, any SQL supported by the underlying database engine can be executed.
Why CVSS 9.8?
- Network-accessible: SciTokens validation happens server-side when services verify incoming tokens from remote clients
- No authentication required: The vulnerable code path executes during token validation — before authentication is confirmed
- No user interaction: A fully automated exploit requires only the ability to present a crafted token to a validating service
- Full C/I/A impact: SQL injection at the authentication layer can expose all cached key material, allow injection of malicious keys, and crash the key cache service
Impact Assessment
| Impact | Description |
|---|---|
| Authentication Bypass | Inject malicious keys into key_cache to forge valid-looking tokens |
| Data Exfiltration | Read key material, cached data, and potentially other tables via UNION injection |
| Data Manipulation | Alter or delete cached public keys, forcing validation failures |
| Database Corruption | DROP TABLE or destructive operations on the key cache backend |
| Lateral Movement | If the database contains broader data, SQL injection may expose sensitive credentials or configurations |
Recommended Actions
1. Upgrade to SciTokens 1.9.6
# Upgrade using pip
pip install --upgrade scitokens
# Verify the version
pip show scitokens | grep Version
# Expected: Version: 1.9.6 or higher2. Verify the Fix
Version 1.9.6 replaces str.format() string interpolation with parameterized queries (prepared statements), which are immune to SQL injection regardless of input content:
# FIXED pattern (v1.9.6+)
query = "SELECT * FROM key_cache WHERE issuer=? AND key_id=?"
cursor.execute(query, (issuer, key_id))3. Check for Exploitation Signs
# Review application logs for anomalous issuer or key_id values
grep -i "issuer\|key_id" /var/log/scitokens.log | grep -E "'|--|UNION|SELECT|DROP"
# Check for unexpected database errors that may indicate failed injection attempts
grep -i "sqlite\|sql\|database error" /var/log/app.log | tail -1004. Rotate Cached Key Material
If you suspect exploitation occurred, invalidate all cached token issuer keys and force re-fetch from issuer JWKS endpoints:
# Clear the key cache to force fresh key fetches
from scitokens.utils.keycache import KeyCache
cache = KeyCache.getinstance()
cache.clear()Detection Indicators
| Indicator | Description |
|---|---|
SQL syntax characters in token iss or kid claims | ', --, ;, UNION, SELECT |
| Database errors in SciTokens validation logs | Possible failed injection attempts |
Abnormally long issuer or key_id JWT claim values | May indicate injection payload delivery |
| Unexpected keys appearing in the key cache database | May indicate successful key injection |
Remediation Checklist
- Upgrade SciTokens to v1.9.6 on all affected hosts
- Review application logs for signs of exploitation prior to patch
- Clear and rebuild key cache after upgrade
- Confirm parameterized queries are used in local patches or forks
- Update dependency manifests and lock files (
requirements.txt,pyproject.toml) - Run
pip auditto check for any other vulnerable dependencies