CVE-2026-32726 affects the scitokens-cpp library, a minimal C/C++ library used to create and validate SciTokens, which are bearer tokens designed for distributed authorization in scientific computing environments. Prior to version 1.4.1, the library's enforcer component performed scope validation by checking if the requested resource path started with the token's authorized scope path using a simple string-prefix comparison. This approach failed to consider path-segment boundaries, meaning that a token scoped to a path like '/data/project' could also authorize access to sibling paths such as '/data/projectX' or '/data/project123', which merely share the prefix but are not intended to be covered. This incorrect authorization (CWE-863) leads to an authorization bypass, allowing token holders to access resources outside their intended scope. The vulnerability has a CVSS 3.1 base score of 8.1 (high), reflecting its potential to compromise confidentiality and integrity without requiring user interaction. The flaw is exploitable remotely with low privileges, increasing its risk profile. The issue was addressed in scitokens-cpp version 1.4.1 by implementing proper path-segment boundary checks during scope validation to ensure tokens cannot authorize access beyond their designated paths.

The vulnerability allows attackers or unauthorized users holding a valid token scoped to a specific resource path to gain unauthorized access to sibling resource paths that share the same prefix. This can lead to unauthorized disclosure of sensitive data (confidentiality impact) and unauthorized modification or misuse of resources (integrity impact). Since scitokens are often used in scientific and research computing environments to control access to distributed data and services, exploitation could compromise research data confidentiality and integrity, potentially affecting collaborative projects, intellectual property, and regulatory compliance. The vulnerability does not impact availability but could undermine trust in token-based authorization mechanisms. Organizations relying on scitokens-cpp for access control may face data breaches or unauthorized data manipulation if they do not apply the patch.

1. Upgrade all instances of scitokens-cpp to version 1.4.1 or later, where the path-segment boundary validation is correctly implemented. 2. Audit existing token scopes and access control policies to identify tokens that may have been issued with overly broad or incorrect scopes due to this vulnerability. 3. Implement additional access control checks at the application or service layer to enforce strict path boundaries, especially if upgrading is delayed. 4. Monitor access logs for anomalous access patterns that could indicate exploitation attempts, such as access to sibling paths outside expected scopes. 5. Educate developers and administrators about secure token scope design and validation to prevent similar issues. 6. If feasible, employ token introspection or validation services that perform robust scope checks beyond simple prefix matching. 7. Conduct penetration testing focused on authorization bypass scenarios to validate the effectiveness of mitigations.