CVE-2026-32726
Published: 31 March 2026
Summary
CVE-2026-32726 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Scitokens Scitokens Cpp Library. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations for access to resources, directly addressing the authorization bypass from flawed path-based scope validation using simple prefix matching without segment boundaries.
Mandates identification, reporting, and correction of system flaws like the scitokens-cpp authorization vulnerability, enabling upgrade to the patched version 1.4.1.
Implements a tamperproof reference monitor to enforce access control policies, mitigating the vulnerable library enforcer's failure to require path-segment boundaries in scope checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing SciTokens enforcement enables exploitation of exposed applications (T1190) and allows low-privileged token holders to access unauthorized sibling paths/resources, constituting privilege escalation (T1068).
NVD Description
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether…
more
a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1.
Deeper analysisAI
CVE-2026-32726 is an authorization bypass vulnerability in the SciTokens C++ library (scitokens-cpp), a minimal implementation for creating and using SciTokens from C or C++. In versions prior to 1.4.1, the library's enforcer performs path-based scope validation using a simple string-prefix comparison without enforcing path-segment boundaries. This allows a token authorized for a specific path to incorrectly grant access to sibling paths that share the same prefix, as the check does not require delimiter separation. The issue is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. By obtaining a valid SciTokens token scoped to a path prefix, such as "/data/special/", the attacker could access unauthorized sibling resources like "/data/specialist/" or "/data/specialops/". Successful exploitation enables high confidentiality and integrity impacts (C:H/I:H), potentially allowing unauthorized data access or modification within the affected SciTokens-protected services, while availability remains unaffected (A:N).
The vulnerability has been patched in scitokens-cpp version 1.4.1, as detailed in the GitHub security advisory (GHSA-q5fm-fgvx-32jq) and the fixing commit (decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73). Security practitioners should upgrade to version 1.4.1 or later to mitigate the issue, and review token scopes in deployments using earlier versions for potential over-permissions.
Details
- CWE(s)