Vulnerability Details CVE-2026-32716
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 7.4%
CVSS Severity
CVSS v3 Score 8.1
References
Products affected by CVE-2026-32716
-
cpe:2.3:a:scitokens:scitokens_library:*