UNKNOWNCVE-2026-32716

SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking

Platform

python

Component

scitokens

Fixed in

1.9.6

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.

How to fix

Actualice la biblioteca SciTokens a la versión 1.9.6 o superior. Esta versión corrige la validación incorrecta de las rutas de alcance, evitando el bypass de autorización. Puede actualizar usando el gestor de paquetes de Python (pip).

Monitor your dependencies automatically

Get notified when new vulnerabilities affect your projects. Free forever.

Start free