CVE-2026-32716: SciTokens has an Authorization Bypass via Incorrect Scope Path Prefix Checking
The Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass.
References
- github.com/advisories/GHSA-w8fp-g9rh-34jh
- github.com/scitokens/scitokens
- github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583
- github.com/scitokens/scitokens/releases/tag/v1.9.6
- github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh
- nvd.nist.gov/vuln/detail/CVE-2026-32716
Code Behaviors & Features
Detect and mitigate CVE-2026-32716 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →