UBUNTU-CVE-2026-32726

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-32726

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32726.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-32726

Upstream

CVE-2026-32726

Published

2026-03-31T18:16:00Z

Modified

2026-05-20T16:25:22.147874814Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1.

References

Affected packages

Ubuntu:22.04:LTS / scitokens-cpp

Package

Name: scitokens-cpp
Purl: pkg:deb/ubuntu/scitokens-cpp?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.5.1-2

0.6.2-1

0.6.2-1ubuntu1

0.6.2-2

0.7.0-1

0.7.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libscitokens0",
            "binary_version": "0.7.0-2"
        },
        {
            "binary_name": "scitokens-cpp",
            "binary_version": "0.7.0-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32726.json"

Ubuntu:24.04:LTS / scitokens-cpp

Package

Name: scitokens-cpp
Purl: pkg:deb/ubuntu/scitokens-cpp?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.2-1

1.1.0-1

1.1.0-1.1

1.1.0-1.1build2

1.1.0-1.1build3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libscitokens0t64",
            "binary_version": "1.1.0-1.1build3"
        },
        {
            "binary_name": "scitokens-cpp",
            "binary_version": "1.1.0-1.1build3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32726.json"

Ubuntu:25.10 / scitokens-cpp

Package

Name: scitokens-cpp
Purl: pkg:deb/ubuntu/scitokens-cpp?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libscitokens0t64",
            "binary_version": "1.1.3-1"
        },
        {
            "binary_name": "scitokens-cpp",
            "binary_version": "1.1.3-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32726.json"

Ubuntu:26.04:LTS / scitokens-cpp

Package

Name: scitokens-cpp
Purl: pkg:deb/ubuntu/scitokens-cpp?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.3-1

1.2.0-1

1.3.0-1

1.3.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libscitokens0t64",
            "binary_version": "1.3.0-2"
        },
        {
            "binary_name": "scitokens-cpp",
            "binary_version": "1.3.0-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32726.json"