Skip to main content

Scitokens EUVDEUVD-2026-17292

| CVE-2026-32727 HIGH
Path Traversal (CWE-22)
2026-03-31 GitHub_M GHSA-3x2w-63fp-3qvw
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 02:30 euvd
EUVD-2026-17292
Analysis Generated
Mar 31, 2026 - 02:30 vuln.today
CVE Published
Mar 31, 2026 - 01:31 nvd
HIGH 8.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 179 pypi packages depend on scitokens (7 direct, 174 indirect)

Ecosystem-wide dependent count for version 1.9.7.

DescriptionGitHub Advisory

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7.

AnalysisAI

Path traversal in SciTokens library (all versions before 1.9.7) allows authenticated attackers to bypass directory access restrictions and access unauthorized files. Attackers can inject dot-dot-slash sequences (..) into JWT scope claims to escape intended authorization boundaries due to improper path normalization during enforcement checks. CVSS 8.1 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists via GitHub advisory and commit references.

Technical ContextAI

SciTokens is a token-based authorization library commonly used in scientific computing and distributed data systems for fine-grained access control to files and resources. The Enforcer component validates JWT tokens containing scope claims that specify authorized paths (e.g., 'read:/data/project1'). The vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) arises from the library's path comparison logic: both the authorized path extracted from the token's scope claim and the application-requested path undergo normalization before a simple 'startswith' comparison. An attacker with valid credentials (PR:L in CVSS vector) can craft a token with scope claims containing path traversal sequences like 'read:/data/project1/../../sensitive' which, after normalization, can match or bypass the intended directory prefix check, granting access to files outside the authorized scope. The affected product is identified as cpe:2.3:a:scitokens:scitokens:*:*:*:*:*:*:*:* covering all versions prior to the patched release.

RemediationAI

Upgrade to SciTokens version 1.9.7 or later immediately, as confirmed by the vendor release announcement at https://github.com/scitokens/scitokens/releases/tag/v1.9.7. The patch in commit 2d1cc9e42bc944fe0bbc429b85d166e7156d53f9 (available at https://github.com/scitokens/scitokens/commit/2d1cc9e42bc944fe0bbc429b85d166e7156d53f9) implements proper path validation that prevents traversal sequences from bypassing directory restrictions. Organizations should audit all deployments using SciTokens for authorization, prioritizing internet-facing services and those protecting sensitive data. Review issued tokens for suspicious scope claims containing dot-dot sequences as potential indicators of exploitation attempts. If immediate upgrade is not feasible, implement additional input validation at the application layer to reject tokens with non-normalized paths or traversal sequences in scope claims, though this workaround is inferior to applying the vendor patch. Consult the GitHub security advisory at https://github.com/scitokens/scitokens/security/advisories/GHSA-3x2w-63fp-3qvw and pull request #230 at https://github.com/scitokens/scitokens/pull/230 for additional technical context.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-17292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy