CVE-2026-32726

SciTokens C++ prior to 1.4.1 contains an authorization bypass in path-based scope validation. The enforcer used a string-prefix check without requiring a path boundary, allowing a token scoped to one path to authorize sibling paths sharing a prefix. This vulnerability has a CVSS v3.1 base score o...

CVE-2026-32726 SciTokens C++: Sibling-Path Authorization Bypass

SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was...

CVE-2026-32716

A flaw was found in SciTokens. The Enforcer component incorrectly validates scope paths by using a simple prefix match. This allows an attacker with a valid token for a specific path to gain unauthorized access to sibling paths that share the same prefix. This authorization bypass can lead to...

Improper Authorization

Overview scitokens is a SciToken reference implementation library Affected versions of this package are vulnerable to Improper Authorization via the validatescp and validatescope functions. An attacker can gain unauthorized access to sibling paths by crafting tokens with scope paths that share a...

CVE-2024-24569

The Pixee Java Code Security Toolkit is a set of security APIs meant to help secure Java code. ZipSecurityisBelowCurrentDirectory is vulnerable to a partial-path traversal bypass. To be vulnerable to the bypass, the application must use toolkit version =1.1.1, use ZipSecurity as a guard against...