Skip to main content

Suse CVE-2026-32726

| EUVDEUVD-2026-17563 HIGH
Incorrect Authorization (CWE-863)
2026-03-31 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:10 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.4.1
EUVD ID Assigned
Mar 31, 2026 - 17:45 euvd
EUVD-2026-17563
Analysis Generated
Mar 31, 2026 - 17:45 vuln.today
CVE Published
Mar 31, 2026 - 17:01 nvd
HIGH 8.1

DescriptionGitHub Advisory

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1.

AnalysisAI

Authorization bypass in SciTokens C++ library (versions prior to 1.4.1) allows authenticated attackers to access unauthorized filesystem paths via flawed scope validation. The library's path-prefix matching does not enforce path-segment boundaries, enabling a token scoped to '/data/project1' to incorrectly authorize access to '/data/project10' or '/data/project1-backup'. CVSS 8.1 (High) reflects the significant confidentiality and integrity impact, though exploitation requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis, with EPSS data not available for recent CVE. Vendor-released patch available in version 1.4.1.

Technical ContextAI

SciTokens C++ is a lightweight authorization library implementing the SciTokens bearer token framework, commonly used in scientific computing and distributed data systems for path-based access control. The vulnerability stems from CWE-863 (Incorrect Authorization) where the enforcer's scope validation logic performs naive string-prefix matching without respecting filesystem path boundaries. When validating whether a requested resource path falls within a token's authorized scope, the code checks if the requested path starts with the scope path string but fails to ensure the match occurs at a directory separator. This implementation flaw violates the principle of least privilege in path-based authorization systems. The affected component is scitokens-cpp library (CPE 2.3:a:scitokens:scitokens-cpp:*) across all versions preceding 1.4.1, impacting any application or service relying on this library for token-based path authorization in scientific data repositories, high-performance computing environments, or distributed storage systems.

RemediationAI

Organizations must upgrade scitokens-cpp to version 1.4.1 or later, which addresses the path-prefix validation flaw by enforcing path-segment boundary checks during scope comparison. The fix is implemented in upstream commit decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73 (https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73). For applications using scitokens-cpp as a dependency, update package manifests (CMake configurations, package.json equivalents, or distribution package managers) to require version 1.4.1 minimum, then rebuild and redeploy affected services. Verify the patched version through package metadata or library version queries post-deployment. If immediate patching is not feasible, implement temporary compensating controls: enforce additional authorization checks at the application layer that validate full path matches rather than relying solely on SciTokens scope enforcement, implement strict path canonicalization to prevent traversal attempts, and audit existing tokens to ensure scope paths are sufficiently specific to prevent overlap with sensitive sibling directories. Review access logs for anomalous path requests that may indicate exploitation attempts (requests to paths outside expected scope but sharing prefixes with authorized paths). Consult the GitHub security advisory (GHSA-q5fm-fgvx-32jq) for additional vendor guidance and coordinate with security teams in scientific computing consortia if using shared infrastructure.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-32726 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy