The vulnerability CVE-2026-32725 affects the scitokens-cpp library, a minimal C/C++ implementation used to create and validate SciTokens, which are bearer tokens designed for authorization in distributed computing environments. The core issue is a relative path traversal (CWE-23) in the processing of path-based scopes embedded within tokens. Specifically, when the library receives a token with a scope claim containing path components, it attempts to normalize the path by collapsing '..' segments rather than rejecting them outright. This normalization allows an attacker to craft a scope claim that traverses up the directory hierarchy beyond the intended scope, effectively broadening the authorization granted by the token. This results in an authorization bypass, where the attacker can access resources outside the originally intended directory scope. The vulnerability requires that the attacker have some level of privilege to present tokens for authorization but does not require user interaction. The CVSS v3.1 base score is 8.3, reflecting high severity due to the network attack vector, low attack complexity, and significant impact on confidentiality and integrity, with some impact on availability. The vulnerability was publicly disclosed on March 31, 2026, and has been patched in scitokens-cpp version 1.4.1. No known exploits have been reported in the wild to date. Organizations using scitokens-cpp for authorization in distributed or cloud environments should prioritize upgrading to the patched version to prevent potential exploitation.

The primary impact of this vulnerability is unauthorized access to resources beyond the intended directory scope, leading to a breach of confidentiality and integrity. Attackers exploiting this flaw can bypass authorization controls, potentially accessing sensitive data or modifying resources they should not have permission to. This can compromise the security of distributed computing environments, scientific collaborations, or cloud services that rely on SciTokens for fine-grained access control. Although availability impact is low, the unauthorized access could lead to further exploitation or lateral movement within affected systems. Organizations worldwide that depend on scitokens-cpp for authorization are at risk of data breaches, intellectual property theft, and violation of compliance requirements if this vulnerability is exploited.

To mitigate this vulnerability, organizations should immediately upgrade scitokens-cpp to version 1.4.1 or later, where the issue has been fixed by properly rejecting scope claims containing parent-directory traversal components. Additionally, implement strict input validation and sanitization on token scope claims before processing. Employ defense-in-depth by enforcing access controls at multiple layers beyond token validation, such as filesystem permissions and network segmentation. Monitor logs for anomalous token scopes or authorization attempts that include suspicious path traversal patterns. Conduct regular security audits and penetration testing focusing on token-based authorization mechanisms. Finally, educate developers and administrators about secure token handling practices and the risks of path traversal vulnerabilities.