The KeyCache component of the SciTokens library constructs SQL statements by embedding user-supplied issuer and key_id values directly into the query string using Python's string formatting. This omission of parameterization permits an attacker to inject arbitrary SQL into the local SQLite database. The immediate consequence is that the attacker can read, modify, or delete token information stored by the library, thereby affecting authentication or authorization logic in any application that relies on these tokens. Although the weakness resides in the database layer and does not expose native code or system binaries, manipulation of token data can lead to denial of service or privilege escalation at the application level.

All releases of SciTokens prior to version 1.9.6 contain the vulnerable KeyCache. Any deployment that uses the library to process externally supplied issuer or key_id values is at risk. The flaw exists regardless of the host operating system or overall software stack, provided a local SQLite database is employed. Updating to version 1.9.6 removes the missing parameterization and eliminates the injection surface.

The CVSS score of 9.8 classifies this flaw as critical, indicating a high potential impact if exploited. The EPSS score is below 1 %, suggesting that actual exploitation is not yet widespread, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The flaw can be triggered remotely by submitting a crafted issuer or key_id, requiring no special privileges on the host. Once invoked, an attacker can execute arbitrary SQL against the SQLite database, jeopardizing data confidentiality, integrity, and the authentication logic of dependent applications.