{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32716", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T14:33:42.825Z", "datePublished": "2026-03-31T01:31:44.350Z", "dateUpdated": "2026-03-31T15:30:14.705Z"}, "containers": {"cna": {"title": "SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh"}, {"name": "https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583"}, {"name": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6"}], "affected": [{"vendor": "scitokens", "product": "scitokens", "versions": [{"version": "< 1.9.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:31:44.350Z"}, "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6."}], "source": {"advisory": "GHSA-w8fp-g9rh-34jh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:30:03.245128Z", "id": "CVE-2026-32716", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:30:14.705Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32716", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T15:30:03.245128Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:30:10.283Z"}}], "cna": {"title": "SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking", "source": {"advisory": "GHSA-w8fp-g9rh-34jh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "scitokens", "product": "scitokens", "versions": [{"status": "affected", "version": "< 1.9.6"}]}], "references": [{"url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh", "name": "https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583", "name": "https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6", "name": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:31:44.350Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32716", "state": "PUBLISHED", "dateUpdated": "2026-03-31T15:30:14.705Z", "dateReserved": "2026-03-13T14:33:42.825Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T01:31:44.350Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scitokens:scitokens_library:*:*:*:*:*:*:*:*", "matchCriteriaId": "429A2C44-9B3E-4F01-86BC-818177DD8EF0", "versionEndExcluding": "1.9.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6."}, {"lang": "es", "value": "SciTokens es una biblioteca de referencia para generar y usar SciTokens. Antes de la versi\u00f3n 1.9.6, el Enforcer valida incorrectamente las rutas de alcance al usar una coincidencia de prefijo simple (startswith). Esto permite que un token con acceso a una ruta espec\u00edfica (por ejemplo, /john) tambi\u00e9n acceda a rutas hermanas que comienzan con el mismo prefijo (por ejemplo, /johnathan, /johnny), lo que constituye un bypass de autorizaci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 1.9.6."}], "id": "CVE-2026-32716", "lastModified": "2026-04-03T18:01:06.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T03:15:57.143", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "scitokens", "source": "cna", "vendor": "scitokens"}, "product": "scitokens", "vendor": "scitokens"}], "analysis": {"en": {"generated_at": "2026-04-03T21:27:14.150324+00:00", "value": {"mitigation_remediation": ["Update the SciTokens library to version 1.9.6 or newer to correct the scope path validation logic.", "Verify that existing tokens are re\u2011issued or invalidated if they granted access to paths that could be confused by the prefix rule.", "Audit application code to ensure no custom authorization logic uses the old prefix check logic.", "Monitor token usage and logs for anomalous access patterns that might indicate exploitation after an update."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "All users of the SciTokens reference library whose installations are older than version 1.9.6 are affected. The vulnerability applies to the scitokens scitokens_library product. Upgrading to the released 1.9.6 version or newer resolves the issue.", "description_and_impact": "The vulnerability resides in the scope path handling of the SciTokens library. The enforcer checks whether a requested path is covered by a token\u2019s scope by performing a simple prefix match. This logic allows a token granted access to a specific path (for example, \"/john\") to also access any sibling paths that share that prefix (such as \"/johnathan\" or \"/johnny\"). Consequently, an attacker with a valid token for a given path can illicitly gain access to unrelated resources, violating confidentiality and integrity. The weakness corresponds to improper authorization enforcement, identified as CWE\u2011285.", "risk_and_exploitability": "The CVSS score of 8.1 classifies this as a high\u2011severity flaw. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation, and the flaw is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to possess a valid token for a path that conflicts with the desired resource; once that token is available, malicious callers can request sibling paths and benefit from the broken prefix validation. If an attacker can obtain or forge such a token, they can bypass authorization controls permanently on the affected system."}}}}, "created": "2026-03-31T19:56:32.277344+00:00", "updated": "2026-04-07T08:08:15.719217+00:00", "vendors": ["scitokens", "scitokens$PRODUCT$scitokens"]}