Skip to main content

Scitokens CVE-2026-32716

| EUVDEUVD-2026-17294 HIGH
Improper Authorization (CWE-285)
2026-03-31 GitHub_M GHSA-w8fp-g9rh-34jh
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 02:30 euvd
EUVD-2026-17294
Analysis Generated
Mar 31, 2026 - 02:30 vuln.today
CVE Published
Mar 31, 2026 - 01:31 nvd
HIGH 8.1

DescriptionGitHub Advisory

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.

AnalysisAI

Authorization bypass in SciTokens library (versions prior to 1.9.6) allows authenticated users with valid tokens scoped to specific paths to access unintended sibling paths through flawed prefix-matching validation logic. An attacker with a token for '/john' can access '/johnathan' or '/johnny' due to incorrect string prefix validation in the Enforcer component, enabling unauthorized data access and modification (CVSS 8.1, High integrity/confidentiality impact). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit with valid credentials (EPSS data not provided, CVSS complexity rated Low).

Technical ContextAI

SciTokens is an authentication and authorization library used in distributed scientific computing environments to manage access control via JWT-based tokens with scope claims. The vulnerability resides in the Enforcer component's path validation logic, which implements authorization checks for file system or resource paths. The flawed implementation uses a simple string prefix match (Python's startswith or equivalent) rather than proper path-boundary validation. This represents CWE-285 (Improper Authorization), where the access control mechanism fails to correctly verify whether a subject should have access to a resource. Proper path validation requires checking for path delimiters to ensure '/john' matches only '/john/*' and not '/johnathan'. The affected component is the core scitokens Python library (CPE: cpe:2.3:a:scitokens:scitokens), which is integrated into scientific computing infrastructure including HTCondor, XRootD, and distributed storage systems.

RemediationAI

Upgrade the SciTokens library to version 1.9.6 or later, which contains the vendor-released patch addressing the path validation logic flaw. The fix is implemented in commit 7a237c0f642efb9e8c36ac564b745895cca83583 (https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583) and included in the v1.9.6 release (https://github.com/scitokens/scitokens/releases/tag/v1.9.6). For Python environments, update via package manager (pip install --upgrade scitokens>=1.9.6). If immediate patching is not feasible, implement additional authorization checks at the application layer to validate path boundaries using normalized path comparison rather than relying solely on SciTokens Enforcer validation. Audit existing token scopes and access logs for potential exploitation patterns where users accessed resources outside their intended scope paths. Review and tighten token scope definitions to minimize overlap in path prefixes during the remediation window.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-32716 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy