CVE-2026-32725

Published: Mar 31, 2026 Last Modified: Mar 31, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: low

Description

AI Translation Available

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses '..' path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.

Relative Path Traversal

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability

Potential Impacts:

Execute Unauthorized Code Or Commands Modify Files Or Directories Read Files Or Directories Dos: Crash, Exit, Or Restart

Applicable Platforms

Technologies: AI/ML, Not Technology-Specific, Web Based

View CWE Details

https://github.com/scitokens/scitokens-cpp/commit/7951ed809…

https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1f…

https://github.com/scitokens/scitokens-cpp/security/advisor…

https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-p…

CVE-2026-32725

Description

Relative Path Traversal

Common Consequences

Applicable Platforms

Iscriviti alla newsletter