CVE-2026-32727

Name of the Vulnerable Software and Affected Versions SciTokens versions prior to 1.9.7

Description SciTokens is a library for generating and using SciTokens. The Enforcer component is susceptible to a path traversal issue. An attacker can exploit this by including 'dot-dot' (..) sequences within the scope claim of a token, allowing them to bypass intended directory restrictions. The library normalizes both the authorized path from the token and the requested path from the application before comparing them using the startswith() function, which enables the path traversal.

Recommendations Update to version 1.9.7 or later.