CVE-2026-32727
Path Traversal in SciTokens Enforcer Allows Directory Escape
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| scitokens | scitokens_library | to 1.9.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32727 is a high-severity vulnerability in the SciTokens library, specifically in its Enforcer component before version 1.9.7. The issue is a path traversal attack where an attacker can use dot-dot ("..") sequences in the scope claim of a token to escape the intended directory restrictions.
The vulnerability occurs because the Enforcer normalizes both the authorized path (from the token's scope claim) and the requested path before comparing them using a startswith check. This normalization resolves relative path segments, allowing an attacker to craft a scope like `read:/home/user1/..` which normalizes to `/home`. As a result, access checks incorrectly grant access to directories outside the intended scope.
Additionally, URL-encoded traversal sequences (like `%2e%2e`) are also decoded and normalized, enabling attackers to bypass naive string filters. This can lead to unauthorized access to sensitive files and directories, such as `/etc/passwd`.
How can this vulnerability impact me? :
This vulnerability allows low-privilege remote attackers to bypass directory restrictions and gain unauthorized access to files and directories outside their intended scope.
- Confidentiality Impact: Attackers can access sensitive files and data they should not have permission to view.
- Integrity Impact: Attackers may gain unauthorized access that could lead to modification or misuse of data.
- The attack complexity is low and requires no user interaction, making it easier for attackers to exploit remotely.
Overall, this can lead to serious security breaches, including exposure of sensitive information and potential compromise of system integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by testing tokens with scope claims containing path traversal sequences such as ".." or their URL-encoded equivalents (e.g., "%2e%2e") to see if unauthorized access is granted outside the intended directory.
Specifically, the scitokens Enforcer's `test` method can be used to verify if tokens with malicious scopes bypass directory restrictions. If the test method returns true for tokens with traversal sequences, the system is vulnerable.
While no explicit command-line commands are provided, the recommended approach is to create or obtain tokens with scopes like `read:/home/user1/..` or `read:/anything/..` and use the Enforcer's test functionality to check if access is improperly granted.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the scitokens library to version 1.9.7 or later, where the vulnerability has been patched.
The patch includes validation that rejects any scope paths containing traversal sequences such as ".." or their encoded forms before normalization, preventing unauthorized directory escapes.
Additionally, ensure that your token issuance process does not allow user-supplied or unvalidated scope claims that could include path traversal sequences.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in SciTokens prior to version 1.9.7 allows attackers to bypass directory restrictions and gain unauthorized access to files and directories outside their intended scope. This unauthorized access can compromise the confidentiality and integrity of sensitive data.
Such unauthorized access to sensitive information can lead to violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and protected health information.
By allowing attackers to access files beyond their authorized scope, this vulnerability increases the risk of data breaches and non-compliance with these regulations, potentially resulting in legal and financial consequences for affected organizations.