CVE-2026-32716

Published: Mar 31, 2026Modified: Apr 3, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.

Affected (1)

Products: Scitokens: Scitokens Library

1 product

Scitokens Library

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Scitokens Scitokens Library	Before 1.9.6

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (3)

https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583

Source: security-advisories@github.com

Patch

https://github.com/scitokens/scitokens/releases/tag/v1.9.6

Source: security-advisories@github.com

Release Notes

https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.