Platform
cpp
Component
scitokens-cpp
Fixed in
1.4.2
CVE-2026-32725 describes a Path Traversal vulnerability discovered in SciTokens C++, a C/C++ library for handling SciTokens. This flaw allows attackers to bypass authorization checks by manipulating path-based scopes within tokens, potentially leading to unauthorized access. The vulnerability impacts versions of SciTokens C++ prior to 1.4.1, and a patch is available in version 1.4.1.
The core of this vulnerability lies in how SciTokens C++ handles scope paths within tokens. Instead of rejecting attempts to traverse up directories using ".." sequences, the library normalizes the path, effectively collapsing these sequences. An attacker can exploit this by crafting a token with a malicious scope path that, after normalization, points to a directory outside the intended scope. This allows them to access files or resources they shouldn't have access to, potentially leading to information disclosure or even remote code execution if the accessed resources are executable. The blast radius depends on the permissions granted to the application using the SciTokens library and the sensitivity of the data or resources accessible through the compromised scope.
This vulnerability was publicly disclosed on 2026-03-31. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The availability of a relatively straightforward bypass makes it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.23% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32725 is to upgrade to SciTokens C++ version 1.4.1 or later, which contains the fix for this authorization bypass. If upgrading is not immediately feasible, consider implementing input validation on the scope path before processing it. This could involve rejecting tokens with ".." sequences or implementing stricter path normalization. Additionally, review the application's access control mechanisms to ensure that even if an attacker gains access to a broader scope, their actions are still properly restricted. After upgrading, confirm the fix by attempting to craft a malicious token with a path traversal sequence in the scope claim and verifying that it is rejected.
Update the scitokens-cpp library to version 1.4.1 or higher. This version fixes the path traversal vulnerability that allows authorization bypass. The update will prevent attackers from expanding authorization beyond the intended directory by manipulating paths in scope claims.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32725 is a Path Traversal vulnerability affecting SciTokens C++ versions prior to 1.4.1. It allows attackers to bypass authorization by manipulating scope paths in tokens.
You are affected if you are using SciTokens C++ version 1.4.1 or earlier. Check your dependency versions to determine if you are vulnerable.
Upgrade to SciTokens C++ version 1.4.1 or later to resolve this vulnerability. Implement input validation as a temporary workaround if upgrading is not immediately possible.
As of now, there are no confirmed reports of active exploitation targeting CVE-2026-32725, but the vulnerability's nature makes it a potential target.
Refer to the SciTokens C++ project's official channels (website, GitHub repository) for the latest advisory and security updates related to CVE-2026-32725.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.