Skip to content
Threat Feed
high advisory

SciTokens C++ Authorization Bypass Vulnerability (CVE-2026-32725)

SciTokens C++ library before 1.4.1 is vulnerable to an authorization bypass (CVE-2026-32725) due to improper path normalization, allowing attackers to escalate privileges by using parent-directory traversal in scope claims.

The SciTokens C++ library, a minimal library for creating and using SciTokens, contains an authorization bypass vulnerability (CVE-2026-32725) in versions prior to 1.4.1. This flaw stems from the library’s handling of path-based scopes within tokens. Specifically, the library normalizes the scope path from the token before authorization but improperly collapses “..” path components instead of rejecting them. This can lead to a significant security risk, allowing attackers to manipulate scope claims and gain unauthorized access. The vulnerability was reported on March 31, 2026 and patched in version 1.4.1. Organizations using affected versions of scitokens-cpp are at risk of privilege escalation.

Attack Chain

  1. An attacker crafts a SciToken with a malicious scope claim containing “..” sequences.
  2. The SciToken is presented to a service using scitokens-cpp for authorization.
  3. The scitokens-cpp library normalizes the scope path.
  4. Instead of rejecting the “..” sequence, the library collapses it, effectively traversing to parent directories.
  5. The authorization check is performed against the manipulated scope.
  6. Due to the altered scope, the attacker gains access to resources outside the intended directory.
  7. The attacker leverages this elevated access to perform unauthorized actions.
  8. Successful exploitation leads to privilege escalation.

Impact

Successful exploitation of CVE-2026-32725 allows attackers to bypass intended authorization controls within applications using the SciTokens C++ library. By crafting tokens with manipulated scope claims, attackers can gain unauthorized access to sensitive resources and escalate their privileges. This could lead to data breaches, system compromise, and other severe consequences. Organizations relying on scitokens-cpp for access control are vulnerable until they update to version 1.4.1.

Recommendation

  • Upgrade the scitokens-cpp library to version 1.4.1 or later to patch CVE-2026-32725.
  • Deploy the Sigma rule Detect Suspicious SciTokens Scope to identify potentially malicious tokens being used in your environment.
  • Implement strict input validation on any components that process SciToken claims to prevent path traversal attempts.

Detection coverage 2

Detect Suspicious SciTokens Scope

high

Detects potentially malicious SciTokens scope with parent directory traversal attempts ('..')

sigma tactics: privilege_escalation techniques: T1068 sources: webserver, linux

Detect SciTokens C++ Error Logs Indicating Exploitation

medium

Detects error logs from SciTokens C++ library related to scope processing failures that might indicate exploitation attempts related to CVE-2026-32725.

sigma tactics: privilege_escalation techniques: T1068 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →