Perceptive Security
SOC/SIEM Consultancy
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an atta…
Published:
30 March 2026 at 22:00:00
Alert date:
31 March 2026 at 04:03:55
Source:
nvd.nist.gov
Supply Chain & Dependencies, Identity & Access
SciTokens reference library version 1.9.7 and prior contains a path traversal vulnerability in the Enforcer component. Attackers can exploit this by using dot-dot (..) sequences in token scope claims to escape intended directory restrictions. The vulnerability occurs due to improper path normalization before comparison using startswith function. This allows unauthorized access to files and directories outside the intended scope. The issue has been patched in version 1.9.7 with fixes available through GitHub.
Technical details
Mitigation steps:
Affected products:
SciTokens
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-32727
https://github.com/scitokens/scitokens/commit/2d1cc9e42bc944fe0bbc429b85d166e7156d53f9
https://github.com/scitokens/scitokens/pull/230
https://github.com/scitokens/scitokens/releases/tag/v1.9.7
https://github.com/scitokens/scitokens/security/advisories/GHSA-3x2w-63fp-3qvw
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.