CVE-2026-32725HIGH 8.3EPSS p52.9%

CVE-2026-32725CVE-2026-32725

Description

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.

Scoring

CVSS 3.18.3 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS0.83% probability of exploitation · percentile 52.9% · 2026-06-19T12:03:05Z
Published2026-03-31
Last modified2026-04-13

Underlying weaknesses· 1

CWE-23

References

  1. https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08
  2. https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp

1

TypeTargetConfidenceTier
WeaknessRelative Path Traversalcwe-230%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32726
CVE
CVE-2026-32714
CVE
CVE-2025-66719
CVE
CVE-2026-32193
CVE
CVE-2026-30914
CVE
CVE-2026-5422
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.