SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.
References
| Link | Resource |
|---|---|
| https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08 | Patch |
| https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp | Exploit Vendor Advisory |
Configurations
History
13 Apr 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Scitokens
Scitokens scitokens Cpp Library |
|
| References | () https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08 - Patch | |
| References | () https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:scitokens:scitokens_cpp_library:*:*:*:*:*:*:*:* |
31 Mar 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-31 18:16
Updated : 2026-04-13 17:16
NVD link : CVE-2026-32725
Mitre link : CVE-2026-32725
CVE.ORG link : CVE-2026-32725
JSON object : View
Products Affected
scitokens
- scitokens_cpp_library
CWE
CWE-23
Relative Path Traversal