https://feed.craftedsignal.io/tags/cve-2026-32716/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 31 Mar 2026 03:17:16 +0000https://feed.craftedsignal.io/briefs/2026-04-scitokens-auth-bypass/Tue, 31 Mar 2026 03:17:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-scitokens-auth-bypass/SciTokens versions prior to 1.9.6 incorrectly validate scope paths using a prefix match, leading to an authorization bypass vulnerability where a token with access to a specific path can access sibling paths with the same prefix.<p>SciTokens is a reference library for generating and using SciTokens. Versions prior to 1.9.6 are vulnerable to an authorization bypass. The vulnerability, identified as CVE-2026-32716, stems from incorrect validation of scope paths within the Enforcer component. Instead of performing an exact match, the Enforcer uses a simple prefix match (startswith). This flaw allows a token authorized for a specific path (e.g., <code>/john</code>) to also gain unauthorized access to sibling paths sharing the same…</p> highadvisoryauthorization-bypassscitokensCVE-2026-32716