CVE-2026-32716
Authorization Bypass in SciTokens Enforcer via Scope Path Validation
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| scitokens | scitokens_library | to 1.9.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in SciTokens occurs because the Enforcer component incorrectly validates scope paths using a simple prefix match (startswith).
As a result, a token authorized for a specific path (e.g., /john) can also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which it should not be allowed to access.
This is an authorization bypass issue where access control is improperly enforced due to simplistic path matching logic.
The problem was fixed in version 1.9.6 by improving the scope path matching logic.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to access resources they should not have permission to access.
For example, a user with a token scoped to access the directory /john could also access sibling directories like /johnathan or /johnny, potentially exposing sensitive data or allowing unauthorized actions.
This is particularly critical in environments where usernames correspond to top-level directories in shared storage, leading to possible data leaks or unauthorized data manipulation.
The vulnerability has a high severity rating with a CVSS v3 base score of 8.1, indicating significant impact on confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether tokens with scope access to a specific path (e.g., /john) improperly allow access to sibling paths that share the same prefix (e.g., /johnathan, /johnny).
A proof-of-concept involves creating a token with scope read:/john and then attempting to access /john/file (legitimate), /johnathan, and /johnny (both illegitimate). If access is granted to the illegitimate sibling paths, the vulnerability exists.
Detection commands would involve using the scitokens library or your system's token validation mechanism to check scope enforcement. Specifically, you can test token validation logic by invoking the Enforcer's scope validation methods or by running scripts that attempt to access sibling paths with tokens scoped to a specific directory.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to resources by bypassing proper authorization checks, which can lead to exposure of sensitive data.
Such unauthorized access could potentially violate compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.
Because the vulnerability permits users to access data belonging to others with similar path prefixes, it increases the risk of data breaches and unauthorized disclosure.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the scitokens library to version 1.9.6 or later, where the issue has been fixed by replacing the simplistic prefix matching with a more precise path matching mechanism.
Until the upgrade is applied, restrict the issuance of tokens with scope paths that could overlap with sibling paths, and monitor access logs for unauthorized access attempts to sibling directories.