CVE-2026-32725

HighPublic PoC

Published: 31 March 2026

Published

31 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0020 41.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the…

token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of path-based scopes in tokens to reject parent-directory traversal sequences like '..', directly preventing the authorization bypass.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of access authorizations that correctly process path scopes without collapsing traversal components, blocking unauthorized access to parent directories.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific flaw in scitokens-cpp by applying the patch in version 1.4.1 that rejects traversal tokens.

Security SummaryAI

CVE-2026-32725 is an authorization bypass vulnerability (CWE-23) in the SciTokens C++ library (scitokens-cpp), a minimal implementation for creating and using SciTokens in C or C++ applications. Prior to version 1.4.1, the library fails to properly reject parent-directory traversal sequences ("..") in path-based scopes within tokens. Instead, it normalizes these paths by collapsing the components before authorization checks, allowing scopes intended for a specific directory to effectively grant access to parent directories and beyond.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By crafting a token with a scope claim containing "../" traversals, the attacker bypasses intended restrictions, achieving high confidentiality (C:H) and integrity (I:H) impacts, with low availability impact (A:L) and unchanged scope (S:U), as scored at CVSS 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). This enables unauthorized access to resources outside the scoped directory.

The issue is addressed in scitokens-cpp version 1.4.1, where the library now rejects tokens with traversal components rather than normalizing them. Security practitioners should upgrade to this version immediately, as detailed in the GitHub security advisory (GHSA-rqcx-mc9w-pjxp) and the patching commit (7951ed809967d88c00c20de414b1ff74df8c3e08).

Details

CWE(s): CWE-23

Affected Products

scitokens

scitokens cpp library

≤ 1.4.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Remote (AV:N) authorization bypass via path traversal in token validation library enables exploitation of public-facing applications (T1190) and privilege escalation through unauthorized resource access beyond intended scopes (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08
Patch · security-advisories@github.com
https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp
Exploit, Vendor Advisory · security-advisories@github.com