CVE-2026-32726
- Source
- https://cve.org/CVERecord?id=CVE-2026-32726
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32726.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32726
- Aliases
-
- GHSA-q5fm-fgvx-32jq
- Downstream
- Published
- 2026-03-31T17:01:24.882Z
- Modified
- 2026-04-10T05:43:02.648071Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- SciTokens C++: Sibling-Path Authorization Bypass
- Details
-
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32726.json", "cwe_ids": [ "CWE-863" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32726.json
- https://github.com/scitokens/scitokens-cpp/commit/decfe2f00cb9cabbf1e17a3bb2cd4ea1bbbd8a73
- https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-q5fm-fgvx-32jq
- https://nvd.nist.gov/vuln/detail/CVE-2026-32726