CVE-2026-32716
Published: 31 March 2026
Summary
CVE-2026-32716 is a high-severity Improper Authorization (CWE-285) vulnerability in Scitokens Scitokens Library. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for system resources, directly countering the improper prefix-based scope path validation in SciTokens Enforcer that enables authorization bypass.
AC-25 requires a tamperproof reference monitor to enforce access control policies completely, preventing bypass vulnerabilities like the startswith flaw allowing access to sibling paths.
SI-10 requires validation of inputs such as token scope paths to detect and reject those enabling unauthorized access to prefix-matching sibling paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Network-exploitable authorization bypass in token validation library directly enables privilege escalation via flawed scope checks and exploitation of public-facing services for unauthorized data access/modification.
NVD Description
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to…
more
also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.
Deeper analysisAI
CVE-2026-32716 is an authorization bypass vulnerability in the SciTokens reference library, which is used for generating and validating SciTokens. Prior to version 1.9.6, the Enforcer component performs incorrect validation of scope paths by relying on a simple prefix match via the "startswith" function. This flaw enables a token granted access to a specific path, such as "/john", to also grant unauthorized access to sibling paths sharing the same prefix, like "/johnathan" or "/johnny". The vulnerability is classified under CWE-285 (Improper Authorization) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
An attacker with low privileges, such as a legitimate user possessing a valid SciTokens with scoped access to a targeted path prefix, can exploit this over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to bypass authorization controls, achieving high-impact unauthorized access to confidential data (C:H) and modification of resources (I:H) on paths that match the prefix, without affecting availability.
The issue has been addressed in SciTokens version 1.9.6, as detailed in the project's GitHub security advisory (GHSA-w8fp-g9rh-34jh), release notes, and the patching commit (7a237c0f642efb9e8c36ac564b745895cca83583). Security practitioners should upgrade to version 1.9.6 or later to mitigate the vulnerability.
Details
- CWE(s)