CVE-2026-32726 - Vulnerability Details

- SciTokens C++: Sibling-Path Authorization Bypass

Description

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1.

Published: 2026-03-31

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SciTokens C++ validates token scopes by comparing requested resource paths to the authorized scope using a simple string‑prefix check. Because the comparison does not enforce a full path segment boundary, a token that is limited to a specific path can incorrectly be granted access to sibling paths that begin with the same prefix. This allows an attacker who possesses a scoped token to request and receive resources outside its legitimate scope, leading to unauthorized data access.

Affected Systems

All releases of the SciTokens C++ library published before version 1.4.1 are affected. The library is known as scitokens:scitokens-cpp. Versions 1.4.1 and later include a fix that enforces proper path segment boundaries and no longer suffer from the bypass.

Risk and Exploitability

The vulnerability carries a high severity score of 8.1, indicating a significant impact. Exploitation requires only a legitimately scoped token and does not need additional system compromise. While the probability of exploitation is currently considered low, the potential for unauthorized data access warrants prompt remediation. The issue is not listed in the known exploited vulnerability catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

scitokens

scitokens-cpp

affected

Version	Status	Constraints
`< 1.4.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:scitokens:scitokens_cpp_library:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Scitokens

Scitokens-cpp

100%

Version	Status	Scheme	Platform
`[0,1.4.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade SciTokens C++ to version 1.4.1 or later

Generated by OpenCVE AI on April 13, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73
https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq

History

Mon, 13 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Scitokens scitokens Cpp Library
CPEs		cpe:2.3:a:scitokens:scitokens_cpp_library::::::::
Vendors & Products		Scitokens scitokens Cpp Library

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Scitokens Scitokens scitokens-cpp
Vendors & Products		Scitokens Scitokens scitokens-cpp

Tue, 31 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1.
Title		SciTokens C++: Sibling-Path Authorization Bypass
Weaknesses		CWE-863
References		https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73 https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Scitokens Scitokens-cpp Scitokens Cpp Library

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T17:01:24.882Z

Updated: 2026-03-31T19:09:02.060Z

Reserved: 2026-03-13T15:02:00.625Z

Link: CVE-2026-32726

Vulnrichment

Updated: 2026-03-31T19:04:22.171Z

NVD

Status : Analyzed

Published: 2026-03-31T18:16:50.997

Modified: 2026-04-13T17:03:28.610

Link: CVE-2026-32726

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:42:21Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object