Platform
python
Component
scitokens
Fixed in
1.9.7
1.9.6
CVE-2026-32716 describes an authorization bypass vulnerability affecting SciTokens versions up to 1.8.1. This flaw arises from an incorrect scope path validation mechanism, where a simple prefix match is used instead of a more robust comparison. Attackers can exploit this to gain access to resources beyond the intended scope, potentially leading to unauthorized data access and manipulation. A fix is available in version 1.9.6.
The core of this vulnerability lies in the validatescp and validatescope methods within the scitokens.py file. The flawed prefix matching logic allows an attacker possessing a token with access to a specific path (e.g., /john) to also access sibling paths sharing the same prefix (e.g., /johnathan, /johnny). This effectively bypasses the intended authorization controls. The potential impact is significant, as it could enable unauthorized access to sensitive data or functionality within applications relying on SciTokens for authentication and authorization. The blast radius depends on the sensitivity of the resources accessible through the affected scope paths.
This CVE was publicly disclosed on 2026-03-31. Currently, there are no known active campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature suggests that a PoC could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.1 (HIGH) indicates a significant potential for exploitation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32716 is to upgrade to SciTokens version 1.9.6 or later, which includes the corrected scope path validation logic. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on the application side to limit the scope of accessible resources. While not a complete solution, this can reduce the potential impact. Review and audit existing token scopes to identify and correct any overly permissive configurations. After upgrading, confirm the fix by attempting to access sibling paths with a token that should only have access to the original intended path; access should be denied.
Update the SciTokens library to version 1.9.6 or higher. This version corrects the incorrect scope path validation, preventing the authorization bypass. You can update using the Python package manager (pip).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32716 is a HIGH severity vulnerability in SciTokens versions up to 1.8.1. It allows attackers to bypass authorization controls by exploiting a flawed scope path validation mechanism, granting access to unintended resources.
You are affected if you are using SciTokens version 1.8.1 or earlier. Check your SciTokens version and upgrade immediately if vulnerable.
Upgrade to SciTokens version 1.9.6 or later to resolve this vulnerability. If an immediate upgrade is not possible, implement stricter input validation on the application side.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the SciTokens project's official release notes and security advisories for detailed information and updates: [https://github.com/scitokens/scitokens/releases](https://github.com/scitokens/scitokens/releases)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.