CVE-2026-32725

Name of the Vulnerable Software and Affected Versions SciTokens C++ versions prior to 1.4.1

Description SciTokens C++ is a library for creating and using SciTokens. Versions before 1.4.1 have an authorization bypass when handling path-based scopes within tokens. The library normalizes the scope path, collapsing ".." path components instead of rejecting them. This allows an attacker to use parent directory traversal in the scope claim to expand authorization beyond the intended directory. The vulnerability occurs during the processing of the scope claim within SciTokens.

Recommendations Update to SciTokens C++ version 1.4.1 or later.