{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32714", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T14:33:42.824Z", "datePublished": "2026-03-31T01:31:31.708Z", "dateUpdated": "2026-03-31T13:58:33.774Z"}, "containers": {"cna": {"title": "SciTokens vulnerable to SQL Injection in KeyCache", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c"}, {"name": "https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2"}, {"name": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6"}], "affected": [{"vendor": "scitokens", "product": "scitokens", "versions": [{"version": "< 1.9.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:31:31.708Z"}, "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6."}], "source": {"advisory": "GHSA-rh5m-2482-966c", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:58:30.467209Z", "id": "CVE-2026-32714", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:58:33.774Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32714", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T13:58:30.467209Z"}}}], "references": [{"url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:58:24.527Z"}}], "cna": {"title": "SciTokens vulnerable to SQL Injection in KeyCache", "source": {"advisory": "GHSA-rh5m-2482-966c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "scitokens", "product": "scitokens", "versions": [{"status": "affected", "version": "< 1.9.6"}]}], "references": [{"url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c", "name": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2", "name": "https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6", "name": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:31:31.708Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32714", "state": "PUBLISHED", "dateUpdated": "2026-03-31T13:58:33.774Z", "dateReserved": "2026-03-13T14:33:42.824Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T01:31:31.708Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6."}, {"lang": "es", "value": "SciTokens es una biblioteca de referencia para generar y usar SciTokens. Antes de la versi\u00f3n 1.9.6, la clase KeyCache en scitokens era vulnerable a la inyecci\u00f3n SQL porque utilizaba str.format() de Python para construir consultas SQL con datos proporcionados por el usuario (como issuer y key_id). Esto permit\u00eda a un atacante ejecutar comandos SQL arbitrarios contra la base de datos SQLite local. Este problema ha sido parcheado en la versi\u00f3n 1.9.6."}], "id": "CVE-2026-32714", "lastModified": "2026-03-31T15:16:13.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T03:15:55.970", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2"}, {"source": "security-advisories@github.com", "url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6"}, {"source": "security-advisories@github.com", "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "scitokens", "source": "cna", "vendor": "scitokens"}, "product": "scitokens", "vendor": "scitokens"}], "analysis": {"en": {"generated_at": "2026-03-31T05:25:29.471989+00:00", "value": {"mitigation_remediation": ["Upgrade SciTokens to version\u202f1.9.6 or later, which eliminates the insecure query construction.", "Confirm the library version after upgrade and run regression tests to ensure all functionalities remain unchanged.", "Monitor application logs for anomalous SQL queries or authentication failures during the transition period."], "summary": {"action": "Apply Patch", "impact": "SQL Injection allowing arbitrary SQL execution on the local SQLite database"}, "threat_synthesis": {"affected_systems": "All installations of SciTokens prior to version\u202f1.9.6 are affected. The vulnerability exists within the scitokens.scitokens package, which is commonly used by Python\u2011based scientific workflow services that generate or validate SciTokens. Upgrading to v1.9.6 or later removes the insecure query construction.", "description_and_impact": "The KeyCache class in SciTokens constructs SQL statements by directly inserting user\u2011provided issuer and key_id values using Python's str.format(). This creates a traditional SQL Injection flaw that permits attackers to execute malicious SQL against the library\u2019s local SQLite database. An attacker could read, modify, or delete data containing authentication tokens or other sensitive information.", "risk_and_exploitability": "With a CVSS score of 9.8, the flaw is classified as critical. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, yet the risk remains high because any application that passes untrusted issuer or key_id values to KeyCache is vulnerable. The likely attack vector is through user\u2011controlled parameters supplied to KeyCache methods, and exploitation requires no special conditions beyond the presence of the vulnerable version."}}}}, "created": "2026-03-31T19:56:33.171600+00:00", "updated": "2026-03-31T20:39:43.772389+00:00", "vendors": ["scitokens", "scitokens$PRODUCT$scitokens"]}