{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32727", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.626Z", "datePublished": "2026-03-31T01:31:57.392Z", "dateUpdated": "2026-04-02T14:48:02.376Z"}, "containers": {"cna": {"title": "SciTokens: Authorization Bypass via Path Traversal in Scope Validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/scitokens/scitokens/security/advisories/GHSA-3x2w-63fp-3qvw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-3x2w-63fp-3qvw"}, {"name": "https://github.com/scitokens/scitokens/pull/230", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens/pull/230"}, {"name": "https://github.com/scitokens/scitokens/commit/2d1cc9e42bc944fe0bbc429b85d166e7156d53f9", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens/commit/2d1cc9e42bc944fe0bbc429b85d166e7156d53f9"}, {"name": "https://github.com/scitokens/scitokens/releases/tag/v1.9.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.7"}], "affected": [{"vendor": "scitokens", "product": "scitokens", "versions": [{"version": "< 1.9.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:31:57.392Z"}, "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7."}], "source": {"advisory": "GHSA-3x2w-63fp-3qvw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:47:31.443983Z", "id": "CVE-2026-32727", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:48:02.376Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32727", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T14:47:31.443983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:47:58.128Z"}}], "cna": {"title": "SciTokens: Authorization Bypass via Path Traversal in Scope Validation", "source": {"advisory": "GHSA-3x2w-63fp-3qvw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "scitokens", "product": "scitokens", "versions": [{"status": "affected", "version": "< 1.9.7"}]}], "references": [{"url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-3x2w-63fp-3qvw", "name": "https://github.com/scitokens/scitokens/security/advisories/GHSA-3x2w-63fp-3qvw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/scitokens/scitokens/pull/230", "name": "https://github.com/scitokens/scitokens/pull/230", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/scitokens/scitokens/commit/2d1cc9e42bc944fe0bbc429b85d166e7156d53f9", "name": "https://github.com/scitokens/scitokens/commit/2d1cc9e42bc944fe0bbc429b85d166e7156d53f9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.7", "name": "https://github.com/scitokens/scitokens/releases/tag/v1.9.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:31:57.392Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32727", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:48:02.376Z", "dateReserved": "2026-03-13T15:02:00.626Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T01:31:57.392Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:scitokens:scitokens_library:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D402B23-94E7-4866-B628-DFCD1E58109E", "versionEndExcluding": "1.9.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7."}, {"lang": "es", "value": "SciTokens es una biblioteca de referencia para generar y usar SciTokens. Antes de la versi\u00f3n 1.9.7, el Enforcer es vulnerable a un ataque de salto de ruta donde un atacante puede usar punto-punto (..) en la declaraci\u00f3n de alcance de un token para evadir la restricci\u00f3n de directorio prevista. Esto ocurre porque la biblioteca normaliza tanto la ruta autorizada (del token) como la ruta solicitada (de la aplicaci\u00f3n) antes de compararlas usando startswith. Este problema ha sido parcheado en la versi\u00f3n 1.9.7."}], "id": "CVE-2026-32727", "lastModified": "2026-04-03T17:26:41.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T03:15:57.340", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/scitokens/scitokens/commit/2d1cc9e42bc944fe0bbc429b85d166e7156d53f9"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/scitokens/scitokens/pull/230"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/scitokens/scitokens/releases/tag/v1.9.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/scitokens/scitokens/security/advisories/GHSA-3x2w-63fp-3qvw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "scitokens", "source": "cna", "vendor": "scitokens"}, "product": "scitokens", "vendor": "scitokens"}], "analysis": {"en": {"generated_at": "2026-04-03T20:52:26.492361+00:00", "value": {"mitigation_remediation": ["Upgrade the SciTokens library to version 1.9.7 or later."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass via Path Traversal"}, "threat_synthesis": {"affected_systems": "The flaw affects the SciTokens reference library, specifically all releases prior to version 1.9.7. Users incorporating this library into their services or applications are at risk unless the library has been upgraded. Any deployment that relies on the older versions should identify where the library is used and assess the potential for unauthorized file access beyond the intended scope.", "description_and_impact": "This vulnerability involves a path traversal flaw in the scope validation logic of the SciTokens library. When the library normalizes the path specified in a token's scope claim and the path requested by the application, it then compares them using a simple startswith check. An attacker can embed the sequence \"..\" in the scope claim to escape the intended directory restriction. As a result, the library incorrectly allows access to resources outside the authorized directory, effectively bypassing the prescribed authorization controls.", "risk_and_exploitability": "The CVSS score of 8.1 classifies this as a high\u2011severity vulnerability. EPSS indicates an exploration probability of less than 1\u202f%, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves the issuance or manipulation of authorization tokens containing a crafted scope claim. If an attacker can obtain or forge such a token, they may gain unauthorized access to resources beyond the intended directory restriction."}}}}, "created": "2026-03-31T19:56:31.392270+00:00", "updated": "2026-04-03T21:17:49.707658+00:00", "vendors": ["scitokens", "scitokens$PRODUCT$scitokens"]}