Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.
AnalysisAI
Authorization bypass in SciTokens library (versions prior to 1.9.6) allows authenticated users with valid tokens scoped to specific paths to access unintended sibling paths through flawed prefix-matching validation logic. An attacker with a token for '/john' can access '/johnathan' or '/johnny' due to incorrect string prefix validation in the Enforcer component, enabling unauthorized data access and modification (CVSS 8.1, High integrity/confidentiality impact). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit with valid credentials (EPSS data not provided, CVSS complexity rated Low).
Technical ContextAI
SciTokens is an authentication and authorization library used in distributed scientific computing environments to manage access control via JWT-based tokens with scope claims. The vulnerability resides in the Enforcer component's path validation logic, which implements authorization checks for file system or resource paths. The flawed implementation uses a simple string prefix match (Python's startswith or equivalent) rather than proper path-boundary validation. This represents CWE-285 (Improper Authorization), where the access control mechanism fails to correctly verify whether a subject should have access to a resource. Proper path validation requires checking for path delimiters to ensure '/john' matches only '/john/*' and not '/johnathan'. The affected component is the core scitokens Python library (CPE: cpe:2.3:a:scitokens:scitokens), which is integrated into scientific computing infrastructure including HTCondor, XRootD, and distributed storage systems.
RemediationAI
Upgrade the SciTokens library to version 1.9.6 or later, which contains the vendor-released patch addressing the path validation logic flaw. The fix is implemented in commit 7a237c0f642efb9e8c36ac564b745895cca83583 (https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583) and included in the v1.9.6 release (https://github.com/scitokens/scitokens/releases/tag/v1.9.6). For Python environments, update via package manager (pip install --upgrade scitokens>=1.9.6). If immediate patching is not feasible, implement additional authorization checks at the application layer to validate path boundaries using normalized path comparison rather than relying solely on SciTokens Enforcer validation. Audit existing token scopes and access logs for potential exploitation patterns where users accessed resources outside their intended scope paths. Review and tighten token scope definitions to minimize overlap in path prefixes during the remediation window.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17294
GHSA-w8fp-g9rh-34jh