Cyber Resilience

CVE-2026-32726

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0027 18.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32726 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Scitokens Scitokens Cpp Library. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-32726 is an authorization bypass vulnerability in the SciTokens C++ library (scitokens-cpp), a minimal implementation for creating and using SciTokens from C or C++. In versions prior to 1.4.1, the library's enforcer performs path-based scope validation using a simple string-prefix comparison without enforcing path-segment boundaries. This allows a token authorized for a specific path to incorrectly grant access to sibling paths that share the same prefix, as the check does not require delimiter separation. The issue is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. By obtaining a valid SciTokens token scoped to a path prefix, such as "/data/special/", the attacker could access unauthorized sibling resources like "/data/specialist/" or "/data/specialops/". Successful exploitation enables high confidentiality and integrity impacts (C:H/I:H), potentially allowing unauthorized data access or modification within the affected SciTokens-protected services, while availability remains unaffected (A:N).

The vulnerability has been patched in scitokens-cpp version 1.4.1, as detailed in the GitHub security advisory (GHSA-q5fm-fgvx-32jq) and the fixing commit (decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73). Security practitioners should upgrade to version 1.4.1 or later to mitigate the issue, and review token scopes in deployments using earlier versions for potential over-permissions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether…

more

a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authorization bypass in public-facing SciTokens enforcement enables exploitation of exposed applications (T1190) and allows low-privileged token holders to access unauthorized sibling paths/resources, constituting privilege escalation (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32725Same product: Scitokens Scitokens Cpp Library
CVE-2026-32727Same vendor: Scitokens
CVE-2026-32716Same vendor: Scitokens
CVE-2026-44110Shared CWE-863
CVE-2026-44633Shared CWE-863
CVE-2026-22595Shared CWE-863
CVE-2026-32914Shared CWE-863
CVE-2026-28392Shared CWE-863
CVE-2026-32267Shared CWE-863
CVE-2025-55213Shared CWE-863

Affected Assets

scitokens
scitokens cpp library
≤ 1.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations for access to resources, directly addressing the authorization bypass from flawed path-based scope validation using simple prefix matching without segment boundaries.

prevent

Mandates identification, reporting, and correction of system flaws like the scitokens-cpp authorization vulnerability, enabling upgrade to the patched version 1.4.1.

prevent

Implements a tamperproof reference monitor to enforce access control policies, mitigating the vulnerable library enforcer's failure to require path-segment boundaries in scope checks.

References