CVE-2026-32716

Name of the Vulnerable Software and Affected Versions SciTokens versions prior to 1.9.6

Description SciTokens is a library for generating and using SciTokens. The Enforcer component incorrectly validates scope paths using a simple prefix match, allowing a token with access to a specific path to also access sibling paths that share the same prefix. This results in an Authorization Bypass. The issue occurs because the startswith method is used for scope path validation, which is insufficient for secure access control. The vulnerable component is the Enforcer.

Recommendations Update to SciTokens version 1.9.6 or later.