CVE-2026-32727
Published: 31 March 2026
Summary
CVE-2026-32727 is a high-severity Path Traversal (CWE-22) vulnerability in Scitokens Scitokens Library. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2026-32727 by requiring timely patching of the SciTokens library to version 1.9.7, eliminating the path traversal vulnerability in the Enforcer.
Access enforcement ensures mechanisms like the SciTokens Enforcer correctly restrict file access based on token scope claims without normalization flaws allowing directory escapes.
Information input validation checks token scope claims for path traversal sequences like ../ before passing to the Enforcer, reducing exploitation risk.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Network path traversal in SciTokens Enforcer (AV:N, PR:L) directly enables remote exploitation of a public-facing authorization component (T1190) and bypasses directory restrictions for unauthorized file access/modification, achieving effective privilege escalation (T1068).
NVD Description
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the…
more
intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7.
Deeper analysisAI
CVE-2026-32727 is a path traversal vulnerability (CWE-22) in the Enforcer component of the SciTokens library, affecting versions prior to 1.9.7. SciTokens is a reference library for generating and using SciTokens. The flaw occurs because the Enforcer normalizes both the authorized path from the token's scope claim and the requested path from the application before comparing them using startswith, enabling attackers to use dot-dot (..) sequences in the scope claim to bypass intended directory restrictions.
The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating exploitation over the network with low complexity, low privileges required, and no user interaction. An attacker who can obtain a token with low privileges—such as an authenticated user—can craft the scope claim to include path traversal payloads, escaping the restricted directory. This allows unauthorized access to or modification of files outside the intended scope, resulting in high confidentiality and integrity impacts.
The issue has been addressed in SciTokens version 1.9.7. Mitigation involves upgrading to this patched version. Official resources include the GitHub security advisory (GHSA-3x2w-63fp-3qvw), the patching commit (2d1cc9e42bc944fe0bbc429b85d166e7156d53f9), pull request #230, and release notes for v1.9.7.
Details
- CWE(s)