Description
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7.
Published: 2026-03-31
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via Path Traversal
Action: Immediate Patch
AI Analysis

Impact

This vulnerability involves a path traversal flaw in the scope validation logic of the SciTokens library. When the library normalizes the path specified in a token's scope claim and the path requested by the application, it then compares them using a simple startswith check. An attacker can embed the sequence ".." in the scope claim to escape the intended directory restriction. As a result, the library incorrectly allows access to resources outside the authorized directory, effectively bypassing the prescribed authorization controls.

Affected Systems

The flaw affects the SciTokens reference library, specifically all releases prior to version 1.9.7. Users incorporating this library into their services or applications are at risk unless the library has been upgraded. Any deployment that relies on the older versions should identify where the library is used and assess the potential for unauthorized file access beyond the intended scope.

Risk and Exploitability

The CVSS score of 8.1 classifies this as a high‑severity vulnerability. EPSS indicates an exploration probability of less than 1 %, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves the issuance or manipulation of authorization tokens containing a crafted scope claim. If an attacker can obtain or forge such a token, they may gain unauthorized access to resources beyond the intended directory restriction.

Generated by OpenCVE AI on April 3, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SciTokens library to version 1.9.7 or later.

Generated by OpenCVE AI on April 3, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3x2w-63fp-3qvw SciTokens has an Authorization Bypass via Path Traversal in Scope Validation
History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Scitokens scitokens Library
CPEs cpe:2.3:a:scitokens:scitokens_library:*:*:*:*:*:*:*:*
Vendors & Products Scitokens scitokens Library

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Scitokens
Scitokens scitokens
Vendors & Products Scitokens
Scitokens scitokens

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7.
Title SciTokens: Authorization Bypass via Path Traversal in Scope Validation
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Scitokens Scitokens Scitokens Library
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T14:48:02.376Z

Reserved: 2026-03-13T15:02:00.626Z

Link: CVE-2026-32727

cve-icon Vulnrichment

Updated: 2026-04-02T14:47:58.128Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T03:15:57.340

Modified: 2026-04-03T17:26:41.500

Link: CVE-2026-32727

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:49Z

Weaknesses