CVE-2026-32716 HIGH

CVE-2026-32716: SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking

Vendor Scitokens
Product scitokens
Weakness CWE-285
Published March 31, 2026
Last update March 31, 2026
View on NVD All CVEs

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
March 31, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-4519 IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_password Function CVE-2020-3267 Cisco Unified Contact Center Express Improper API Authorization Vulnerability CVE-2020-1690 CVE-2023-34460 Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles CVE-2025-3980 wowjoy 浙江湖州华卓信息科技有限公司 Internet Doctor Workstation System list improper authorization