Description

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.

INFO

Published Date :

2026-03-31T01:31:44.350Z

Last Modified :

2026-03-31T15:30:14.705Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32716 vulnerability.

Vendors Products
Scitokens
  • Scitokens
  • Scitokens Library
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32716.

URL Resource
https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583 cve-icon cve-icon
https://github.com/scitokens/scitokens/releases/tag/v1.9.6 cve-icon cve-icon
https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact