CVE-2026-32726
Authorization Bypass in SciTokens-C++ Path Scope Validation
Publication date: 2026-03-31
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| scitokens | scitokens_cpp_library | to 1.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32726 is an authorization bypass vulnerability in the SciTokens C++ library (scitokens-cpp) prior to version 1.4.1. The issue arises because the enforcer component used a simple string-prefix comparison to check if a requested resource path was covered by a token's authorized scope path. This check did not enforce path-segment boundaries, meaning a token scoped to a path like "/john" could incorrectly authorize access to sibling or similarly prefixed paths such as "/johnathan" or "/johnny".
The vulnerability occurs because the authorization logic treated path coverage as a raw byte-prefix match rather than verifying that the next character after the authorized prefix is a path separator ('/'). This flaw allowed unauthorized access to adjacent sibling namespaces.
The issue was fixed in version 1.4.1 by replacing the naive prefix matching with a path-segment-aware matching function that authorizes access only if the requested path exactly matches the authorized path, is the root scope "/", or is a true descendant path where the next character after the prefix is "/".
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to resources outside the intended scope of a token. Specifically, an attacker or user holding a token scoped to a particular path could gain access to sibling or similarly prefixed paths that they should not be authorized to access.
In multi-tenant or shared storage environments, this means that one user could potentially access another user's data or resources by exploiting the flawed path validation logic.
The impact includes high confidentiality and integrity risks, as unauthorized users could read or modify data they are not permitted to access. The vulnerability does not affect availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying whether the SciTokens C++ Enforcer component improperly authorizes access to sibling paths due to naive prefix matching in scope validation.
Specifically, you can test if tokens scoped to a path like "/john" incorrectly allow access to sibling paths such as "/johnathan" or "/johnny".
Since the vulnerability is in the path-based scope validation logic, detection can be performed by attempting to access sibling or similarly prefixed paths using tokens scoped to a specific path and observing if access is granted.
There are no explicit commands provided in the resources, but a practical approach is to use your application or service that uses scitokens-cpp to request access to sibling paths with a token scoped to a specific path and check if access is incorrectly allowed.
For example, you might run tests or scripts that attempt to access paths like "/johnathan" or "/johnny" using a token scoped to "/john" and verify if access is denied or granted.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the scitokens-cpp library to version 1.4.1 or later, where the vulnerability has been patched.
The patch replaces the unsafe substring prefix checks with a path-segment-aware matching function that enforces strict path boundaries, preventing unauthorized access to sibling paths.
If upgrading immediately is not possible, you should audit and restrict token scopes carefully to minimize exposure and avoid relying on naive prefix matching for authorization.
Additionally, review your access control policies and consider implementing additional checks to ensure tokens cannot be used to access sibling or unauthorized paths.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authorization bypass in path-based scope validation, which can lead to unauthorized access to sibling paths that share the same prefix as an authorized path. In multi-tenant or shared storage environments, this means an attacker with a token scoped to a specific path could gain access to adjacent sibling namespaces, potentially exposing other users' or tenants' data.
Such unauthorized access could result in violations of data protection regulations and standards like GDPR or HIPAA, which require strict access controls to protect sensitive personal or health information. The failure to enforce proper authorization boundaries increases the risk of data breaches and unauthorized disclosure, thereby negatively impacting compliance with these regulations.