Python SQL Injection (CVE-2026-32714)

Overview

A critical SQL injection vulnerability, identified as CVE-2026-32714, exists in the SciTokens reference library prior to version 1.9.6. The flaw is located within the library’s KeyCache class, which improperly constructs SQL queries using user-supplied input, allowing for remote code execution on the database.

Vulnerability Details

SciTokens is a library for generating and validating access tokens commonly used in scientific computing and grid middleware. The vulnerability stems from the use of Python’s str.format() method to build SQL queries that incorporate user-controlled data, such as issuer and key_id parameters. This insecure construction method does not sanitize or parameterize inputs, making it possible for an attacker to inject malicious SQL commands.

The CVSS v3.1 base score of 9.8 (Critical) reflects the severe nature of this flaw. It is remotely exploitable over the network (Attack Vector: NETWORK) with low attack complexity, requires no privileges, and needs no user interaction.

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary SQL commands on the local SQLite database used by the SciTokens library. This could lead to a complete compromise of the database, including theft, modification, or deletion of cached token keys and related data. In practical terms, this could undermine the security of federated authentication systems relying on SciTokens, potentially enabling unauthorized access to scientific data and computing resources. For context on the risks of such data exposure, recent incidents are detailed in our breach reports.

Remediation and Mitigation

The primary and mandatory action is to upgrade the SciTokens library to version 1.9.6 or later, which contains the patch. This update replaces the vulnerable str.format() calls with proper SQL parameterization.

Action Steps:

1. Immediate Patching: Update all installations of SciTokens to version 1.9.6. Use your system package manager (e.g., pip install --upgrade scitokens) or follow your distribution’s update procedures.
2. Inventory: Identify all applications and services that depend on the SciTokens Python library, especially those exposed to network interfaces.
3. No Effective Workaround: Due to the nature of the flaw, there is no viable configuration-based workaround. Patching is the only effective mitigation.

Stay informed on emerging threats by following our security news coverage.

Security Insight

This vulnerability highlights a persistent class of flaw-the use of string formatting for SQL queries-that should be considered a basic security failure in modern code. Its presence in a critical authentication library underscores how foundational security components can become single points of failure for entire ecosystems. Similar to past incidents in other token-validation libraries, this flaw reminds developers that security-critical code requires rigorous, defense-in-depth review, especially for data handling patterns that have been well-understood as dangerous for over two decades.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs