{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32716", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T14:33:42.825Z", "datePublished": "2026-03-31T01:31:44.350Z", "dateUpdated": "2026-03-31T15:30:14.705Z"}, "containers": {"cna": {"title": "SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh"}, {"name": "https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583"}, {"name": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6"}], "affected": [{"vendor": "scitokens", "product": "scitokens", "versions": [{"version": "< 1.9.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:31:44.350Z"}, "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6."}], "source": {"advisory": "GHSA-w8fp-g9rh-34jh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:30:03.245128Z", "id": "CVE-2026-32716", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:30:14.705Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32716", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T15:30:03.245128Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:30:10.283Z"}}], "cna": {"title": "SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking", "source": {"advisory": "GHSA-w8fp-g9rh-34jh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "scitokens", "product": "scitokens", "versions": [{"status": "affected", "version": "< 1.9.6"}]}], "references": [{"url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh", "name": "https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583", "name": "https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6", "name": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:31:44.350Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32716", "state": "PUBLISHED", "dateUpdated": "2026-03-31T15:30:14.705Z", "dateReserved": "2026-03-13T14:33:42.825Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T01:31:44.350Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6."}], "id": "CVE-2026-32716", "lastModified": "2026-03-31T03:15:57.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T03:15:57.143", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583"}, {"source": "security-advisories@github.com", "url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.6"}, {"source": "security-advisories@github.com", "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "scitokens", "source": "cna", "vendor": "scitokens"}, "product": "scitokens", "vendor": "scitokens"}], "analysis": {"en": {"generated_at": "2026-03-31T05:25:05.637137+00:00", "value": {"mitigation_remediation": ["Update the SciTokens library to version 1.9.6 or later."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the SciTokens reference library provided by the scitokens organization. Any deployment that uses SciTokens 1.9.5 or earlier is impacted. All environments where the library is used for token enforcement \u2013 such as web services or data access layers \u2013 are susceptible, as the bug is within the enforcement logic and not limited to a specific platform.", "description_and_impact": "SciTokens provides a library to create and validate tokens for scientific data access. A bug in versions before 1.9.6 caused the library to check scope paths using a simple string prefix comparison. As a result, a token that was valid for a path such as /john could also be accepted for any sibling path that began with the same characters, like /johnathan or /johnny. This flaw constitutes an authorization bypass that allows a malicious actor to gain unintended access to resources for which the token should not be valid. The weakness is categorized as CWE\u2011285, Improper Authorization, and carries a CVSS score of 8.1, indicating high severity.", "risk_and_exploitability": "The flaw has a CVSS base score of 8.1 and is not listed in the CISA KEV catalog, but it is widespread in any system that integrates an affected SciTokens version. While no EPSS score is available, the high CVSS indicates that exploitation is likely if an attacker can supply a crafted token. In practice, the attack can occur when a user presents a token for a slightly different path; the enforcement logic mistakenly accepts it. Administrators should treat this as a priority vulnerability that can lead to unauthorized data access."}}}}, "created": "2026-03-31T19:56:32.277344+00:00", "updated": "2026-03-31T20:39:42.868230+00:00", "vendors": ["scitokens", "scitokens$PRODUCT$scitokens"]}