{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32726", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.625Z", "datePublished": "2026-03-31T17:01:24.882Z", "dateUpdated": "2026-03-31T19:09:02.060Z"}, "containers": {"cna": {"title": "SciTokens C++: Sibling-Path Authorization Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq"}, {"name": "https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73"}], "affected": [{"vendor": "scitokens", "product": "scitokens-cpp", "versions": [{"version": "< 1.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:01:24.882Z"}, "descriptions": [{"lang": "en", "value": "SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1."}], "source": {"advisory": "GHSA-q5fm-fgvx-32jq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:39:24.642064Z", "id": "CVE-2026-32726", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:09:02.060Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32726", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T18:39:24.642064Z"}}}], "references": [{"url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:04:22.171Z"}}], "cna": {"title": "SciTokens C++: Sibling-Path Authorization Bypass", "source": {"advisory": "GHSA-q5fm-fgvx-32jq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "scitokens", "product": "scitokens-cpp", "versions": [{"status": "affected", "version": "< 1.4.1"}]}], "references": [{"url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq", "name": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73", "name": "https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:01:24.882Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32726", "state": "PUBLISHED", "dateUpdated": "2026-03-31T19:09:02.060Z", "dateReserved": "2026-03-13T15:02:00.625Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T17:01:24.882Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scitokens:scitokens_cpp_library:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC9F84FE-5692-462D-BA2B-D9703D8AFAD1", "versionEndExcluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1."}], "id": "CVE-2026-32726", "lastModified": "2026-04-13T17:03:28.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T18:16:50.997", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "scitokens-cpp", "source": "cna", "vendor": "scitokens"}, "product": "scitokens-cpp", "vendor": "scitokens"}], "analysis": {"en": {"generated_at": "2026-04-13T20:31:38.653692+00:00", "value": {"mitigation_remediation": ["Upgrade SciTokens\u202fC++ to version\u202f1.4.1 or later"], "summary": {"action": "Immediate Patch", "impact": "Authorization bypass via path prefix comparison"}, "threat_synthesis": {"affected_systems": "All releases of the SciTokens\u202fC++ library published before version\u202f1.4.1 are affected. The library is known as scitokens:scitokens-cpp. Versions 1.4.1 and later include a fix that enforces proper path segment boundaries and no longer suffer from the bypass.", "description_and_impact": "SciTokens\u202fC++ validates token scopes by comparing requested resource paths to the authorized scope using a simple string\u2011prefix check. Because the comparison does not enforce a full path segment boundary, a token that is limited to a specific path can incorrectly be granted access to sibling paths that begin with the same prefix. This allows an attacker who possesses a scoped token to request and receive resources outside its legitimate scope, leading to unauthorized data access.", "risk_and_exploitability": "The vulnerability carries a high severity score of 8.1, indicating a significant impact. Exploitation requires only a legitimately scoped token and does not need additional system compromise. While the probability of exploitation is currently considered low, the potential for unauthorized data access warrants prompt remediation. The issue is not listed in the known exploited vulnerability catalog."}}}}, "created": "2026-03-31T19:53:50.864393+00:00", "updated": "2026-04-14T16:42:21.193696+00:00", "vendors": ["scitokens", "scitokens$PRODUCT$scitokens-cpp"]}