Executive Summary

CVE-2026-32725 is a high-severity vulnerability in the scitokens-cpp library versions prior to 1.4.1. The issue arises from improper handling of path-based scopes in tokens used for authorization. Specifically, the library normalizes the scope path by collapsing parent-directory traversal components ("..") instead of rejecting them. This allows an attacker to use ".." segments in the token's scope claim to escape the intended directory restrictions and gain broader access than authorized.

• For example, a token with scope `read:/home/user1/..` normalizes to `/home`, allowing unauthorized access to `/home/user2`.
• Similarly, a token with scope `read:/anything/..` normalizes to `/`, granting access to all paths under the root, such as `/etc/passwd`.

The root cause is treating token scope paths as normalizable filesystem paths rather than untrusted authorization boundaries and failing to reject parent-directory traversal during scope parsing.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in scitokens-cpp allows attackers to bypass authorization by exploiting path traversal in token scope claims, enabling unauthorized access to directories beyond intended boundaries.

This unauthorized access can lead to breaches of tenant or user directory isolation in shared storage environments, potentially exposing sensitive or protected data.

Such exposure and unauthorized access could result in non-compliance with data protection standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.

Therefore, until patched, this vulnerability poses a risk to maintaining compliance with these regulations due to the possibility of unauthorized data disclosure or modification.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers who control token scope paths to bypass intended authorization restrictions. They can access sibling directories or even the entire protected namespace beyond their authorized scope.

• It breaks tenant or user directory isolation in shared storage environments.
• Attackers can gain unauthorized access to sensitive files or data outside their permitted directories.

Overall, it leads to a serious authorization bypass that compromises confidentiality and integrity of protected resources.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves inspecting tokens used by the scitokens-cpp library for scope claims containing parent-directory traversal sequences such as ".." or their encoded forms (e.g., %2e%2e, %252e%252e).

Since the vulnerability arises from improper normalization of scope paths in tokens, you can detect attempts by monitoring token scopes for suspicious path traversal patterns.

Suggested commands include searching logs or token data for scope claims containing ".." or percent-encoded traversal sequences. For example, using grep on token files or logs:

• grep -E '\.\.|%2e%2e|%252e%252e' /path/to/token/logs
• jq '.scope' tokens.json | grep -E '\.\.|%2e%2e|%252e%252e'

Additionally, monitoring authorization failures or unexpected access patterns in systems using scitokens-cpp may help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the scitokens-cpp library to version 1.4.1 or later, where this vulnerability has been fixed.

The fix includes strict canonicalization of scope paths, rejecting any token scope containing parent-directory traversal components before authorization.

If upgrading immediately is not possible, as a temporary measure, you should implement input validation to reject or sanitize tokens with scope claims containing ".." or encoded traversal sequences.

Review and monitor token issuance processes to ensure that scope paths do not include unauthorized traversal components.

Finally, apply any patches or updates provided by the scitokens-cpp maintainers as soon as they become available.

Useful 0 Not Useful 0