{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32726", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.625Z", "datePublished": "2026-03-31T17:01:24.882Z", "dateUpdated": "2026-03-31T19:09:02.060Z"}, "containers": {"cna": {"title": "SciTokens C++: Sibling-Path Authorization Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq"}, {"name": "https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73"}], "affected": [{"vendor": "scitokens", "product": "scitokens-cpp", "versions": [{"version": "< 1.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:01:24.882Z"}, "descriptions": [{"lang": "en", "value": "SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1."}], "source": {"advisory": "GHSA-q5fm-fgvx-32jq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:39:24.642064Z", "id": "CVE-2026-32726", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:09:02.060Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32726", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T18:39:24.642064Z"}}}], "references": [{"url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:04:22.171Z"}}], "cna": {"title": "SciTokens C++: Sibling-Path Authorization Bypass", "source": {"advisory": "GHSA-q5fm-fgvx-32jq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "scitokens", "product": "scitokens-cpp", "versions": [{"status": "affected", "version": "< 1.4.1"}]}], "references": [{"url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq", "name": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73", "name": "https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:01:24.882Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32726", "state": "PUBLISHED", "dateUpdated": "2026-03-31T19:09:02.060Z", "dateReserved": "2026-03-13T15:02:00.625Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T17:01:24.882Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1."}], "id": "CVE-2026-32726", "lastModified": "2026-03-31T20:16:27.197", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T18:16:50.997", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73"}, {"source": "security-advisories@github.com", "url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "scitokens-cpp", "source": "cna", "vendor": "scitokens"}, "product": "scitokens-cpp", "vendor": "scitokens"}], "analysis": {"en": {"generated_at": "2026-03-31T19:23:35.550940+00:00", "value": {"mitigation_remediation": ["Upgrade scitokens\u2011cpp to version\u202f1.4.1 or later to enforce proper path boundaries"], "summary": {"action": "Immediate Patch", "impact": "Authorization bypass enabling access to unintended sibling paths"}, "threat_synthesis": {"affected_systems": "The issue affects the scitokens\u2011cpp library provided by SciTokens. Any application that employs a version earlier than 1.4.1 is potentially exposed, as the path\u2011boundary enforcement is added only in 1.4.1 and newer releases.", "description_and_impact": "SciTokens C++ validates requested resource paths against token scopes using a basic string\u2011prefix comparison; the check fails to enforce a path\u2011segment boundary. Prior to version\u202f1.4.1, a token scoped to /foo could incorrectly allow access to /foobar or other sibling paths sharing the same prefix. The vulnerability results in an authorization bypass that lets an attacker reach resources outside the intended scope. This weakness corresponds to CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 8.1 signifies high severity, and while EPSS data is unavailable and the vulnerability is not listed in CISA KEV, exploitation appears feasible in any environment where the library is used to validate token scopes. The attack requires only the ability to supply a token with a broader path scope, and no special network privileges. Thus, the risk of exploitation is moderate to high for exposed applications."}}}}, "created": "2026-03-31T19:53:50.864393+00:00", "updated": "2026-03-31T20:37:48.562617+00:00", "vendors": ["scitokens", "scitokens$PRODUCT$scitokens-cpp"]}