CVE-2026-32725
Authorization Bypass via Path Traversal in SciTokens-C++ Prior to
Publication date: 2026-03-31
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| scitokens | scitokens_cpp_library | to 1.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32725 is a high-severity vulnerability in the scitokens-cpp library versions prior to 1.4.1. The issue arises from improper handling of path-based scopes in tokens used for authorization. Specifically, the library normalizes the scope path by collapsing parent-directory traversal components ("..") instead of rejecting them. This allows an attacker to use ".." segments in the token's scope claim to escape the intended directory restrictions and gain broader access than authorized.
- For example, a token with scope `read:/home/user1/..` normalizes to `/home`, allowing unauthorized access to `/home/user2`.
- Similarly, a token with scope `read:/anything/..` normalizes to `/`, granting access to all paths under the root, such as `/etc/passwd`.
The root cause is treating token scope paths as normalizable filesystem paths rather than untrusted authorization boundaries and failing to reject parent-directory traversal during scope parsing.
How can this vulnerability impact me? :
This vulnerability can allow attackers who control token scope paths to bypass intended authorization restrictions. They can access sibling directories or even the entire protected namespace beyond their authorized scope.
- It breaks tenant or user directory isolation in shared storage environments.
- Attackers can gain unauthorized access to sensitive files or data outside their permitted directories.
Overall, it leads to a serious authorization bypass that compromises confidentiality and integrity of protected resources.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves inspecting tokens used by the scitokens-cpp library for scope claims containing parent-directory traversal sequences such as ".." or their encoded forms (e.g., %2e%2e, %252e%252e).
Since the vulnerability arises from improper normalization of scope paths in tokens, you can detect attempts by monitoring token scopes for suspicious path traversal patterns.
Suggested commands include searching logs or token data for scope claims containing ".." or percent-encoded traversal sequences. For example, using grep on token files or logs:
- grep -E '\.\.|%2e%2e|%252e%252e' /path/to/token/logs
- jq '.scope' tokens.json | grep -E '\.\.|%2e%2e|%252e%252e'
Additionally, monitoring authorization failures or unexpected access patterns in systems using scitokens-cpp may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the scitokens-cpp library to version 1.4.1 or later, where this vulnerability has been fixed.
The fix includes strict canonicalization of scope paths, rejecting any token scope containing parent-directory traversal components before authorization.
If upgrading immediately is not possible, as a temporary measure, you should implement input validation to reject or sanitize tokens with scope claims containing ".." or encoded traversal sequences.
Review and monitor token issuance processes to ensure that scope paths do not include unauthorized traversal components.
Finally, apply any patches or updates provided by the scitokens-cpp maintainers as soon as they become available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in scitokens-cpp allows attackers to bypass authorization by exploiting path traversal in token scope claims, enabling unauthorized access to directories beyond intended boundaries.
This unauthorized access can lead to breaches of tenant or user directory isolation in shared storage environments, potentially exposing sensitive or protected data.
Such exposure and unauthorized access could result in non-compliance with data protection standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.
Therefore, until patched, this vulnerability poses a risk to maintaining compliance with these regulations due to the possibility of unauthorized data disclosure or modification.