CVE-2026-32725
Published: 31 March 2026
Summary
CVE-2026-32725 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Scitokens Scitokens Cpp Library. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of path-based scopes in tokens to reject parent-directory traversal sequences like '..', directly preventing the authorization bypass.
Mandates enforcement of access authorizations that correctly process path scopes without collapsing traversal components, blocking unauthorized access to parent directories.
Ensures timely remediation of the specific flaw in scitokens-cpp by applying the patch in version 1.4.1 that rejects traversal tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote (AV:N) authorization bypass via path traversal in token validation library enables exploitation of public-facing applications (T1190) and privilege escalation through unauthorized resource access beyond intended scopes (T1068).
NVD Description
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the…
more
token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.
Deeper analysisAI
CVE-2026-32725 is an authorization bypass vulnerability (CWE-23) in the SciTokens C++ library (scitokens-cpp), a minimal implementation for creating and using SciTokens in C or C++ applications. Prior to version 1.4.1, the library fails to properly reject parent-directory traversal sequences ("..") in path-based scopes within tokens. Instead, it normalizes these paths by collapsing the components before authorization checks, allowing scopes intended for a specific directory to effectively grant access to parent directories and beyond.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By crafting a token with a scope claim containing "../" traversals, the attacker bypasses intended restrictions, achieving high confidentiality (C:H) and integrity (I:H) impacts, with low availability impact (A:L) and unchanged scope (S:U), as scored at CVSS 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). This enables unauthorized access to resources outside the scoped directory.
The issue is addressed in scitokens-cpp version 1.4.1, where the library now rejects tokens with traversal components rather than normalizing them. Security practitioners should upgrade to this version immediately, as detailed in the GitHub security advisory (GHSA-rqcx-mc9w-pjxp) and the patching commit (7951ed809967d88c00c20de414b1ff74df8c3e08).
Details
- CWE(s)