Platform
python
Component
scitokens
Fixed in
1.9.8
CVE-2026-32727 describes a Path Traversal vulnerability discovered in SciTokens, a reference library for generating and using SciTokens. This flaw allows attackers to bypass intended directory restrictions by injecting dot-dot (..) sequences into the token's scope claim. The vulnerability impacts versions of SciTokens up to and including 1.9.7, and a patch is available in version 1.9.7.
Successful exploitation of CVE-2026-32727 allows an attacker to read arbitrary files on the server hosting the application using SciTokens. By crafting a malicious token with a manipulated scope claim, an attacker can traverse the file system beyond the intended boundaries. This could lead to the exposure of sensitive configuration files, source code, or other confidential data. The blast radius depends on the application's permissions and the files accessible from the vulnerable server. This vulnerability shares similarities with other path traversal exploits, where improper input validation leads to unauthorized file access.
CVE-2026-32727 was publicly disclosed on 2026-03-31. There is no indication of active exploitation campaigns or KEV listing at the time of writing. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature makes it relatively straightforward to exploit.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32727 is to upgrade to SciTokens version 1.9.7 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation on the application side to sanitize the scope claim before processing it. This could involve restricting the characters allowed in the scope claim or implementing stricter path validation. Web application firewalls (WAFs) configured to detect path traversal attempts can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to craft a token with a malicious scope claim (e.g., ../../../../etc/passwd) and confirm that access is denied.
Update the SciTokens library to version 1.9.7 or higher. This version fixes the path traversal vulnerability in scope validation. The update will prevent attackers from bypassing intended directory restrictions by using 'dot-dot (..)' in the token's scope.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32727 is a Path Traversal vulnerability affecting SciTokens versions up to 1.9.7. It allows attackers to bypass directory restrictions by manipulating the token's scope claim, potentially accessing sensitive files.
You are affected if you are using SciTokens version 1.9.7 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade to SciTokens version 1.9.7 or later. If upgrading is not possible immediately, implement input validation on the application side to sanitize the scope claim.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it relatively easy to exploit.
Refer to the SciTokens project's official website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.