EUVD-2026-17294
GHSA-w8fp-g9rh-34jh
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.
Analysis
Authorization bypass in SciTokens library (versions prior to 1.9.6) allows authenticated users with valid tokens scoped to specific paths to access unintended sibling paths through flawed prefix-matching validation logic. An attacker with a token for '/john' can access '/johnathan' or '/johnny' due to incorrect string prefix validation in the Enforcer component, enabling unauthorized data access and modification (CVSS 8.1, High integrity/confidentiality impact). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all deployed SciTokens versions in production via software inventory and dependency scanning (check requirements.txt, package-lock.json, and pip list across all systems). Within 7 days: Isolate systems running SciTokens versions prior to 1.9.6 from production traffic or restrict token scope to single-path resources where feasible as interim control. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today