← Back

CVE-2026-32725

nvd nist
Published: Mar 31, 2026Modified: Apr 13, 2026

JSON object

Loading...
8.3
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Exploitability: 2.8 / Impact: 5.5
Source: security-advisories@github.com (Secondary)

Description

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.

Affected (1)

Scitokens
1 product
Scitokens Cpp Library
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Scitokens Cpp Library
Before 1.4.1

Related CWEs

CWE-23
Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

References (2)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
ExploitVendor Advisory

Timeline

No history available yet.