CVE-2026-32726 HIGH

CVE-2026-32726: SciTokens C++: Sibling-Path Authorization Bypass

Vendor Scitokens

Product scitokens-cpp

Weakness CWE-863 · Incorrect authorization

Published March 31, 2026

Last update March 31, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1.

Key dates

02Disclosure timeline

March 31, 2026 CVE published

March 31, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32726

Related vulnerabilities

04Related CVE

CVE-2026-41190 FreeScout has assigned-only visibility bypass via save_draft that allows hidden conversation draft injection CVE-2026-41191 FreeScout's signature only mailbox permission allows unauthorized mailbox chat setting changes CVE-2022-46258 Incorrect Authorization in GitHub Enterprise Server leads to Action Workflow modifications without Workflow Scope CVE-2021-36778 Exposure of repository credentials to external third-party sources CVE-2026-41232 Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing