Is scitokens affected by CVE-2026-32716?

PyPI scitokens is affected in <1.9.6.

Is CVE-2026-32716 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

high

CVE-2026-32716

Q: Is CVE-2026-32716 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

PyPI · scitokens

Summary

SciTokens has an Authorization Bypass via Incorrect Scope Path Prefix Checking

Severity: high
EPSS: 0.4% (p31)
Also known as: GHSA-w8fp-g9rh-34jh
Published: 2026-03-31

References

https://github.com/scitokens/scitokens/security/advisories/GHSA-w8fp-g9rh-34jh
https://nvd.nist.gov/vuln/detail/CVE-2026-32716
https://github.com/scitokens/scitokens/commit/7a237c0f642efb9e8c36ac564b745895cca83583

Related advisories

CVE-2026-32714 — critical · PyPI/scitokens
CVE-2026-32727 — high · PyPI/scitokens

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.