Description
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never authorized their application. This violates RFC 6749 Section 4.1.3. This vulnerability is fixed in 5.0.3.
Published: 2026-03-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Token Issuance
Action: Patch
AI Analysis

Impact

The CVE describes a flaw in Tinyauth's OIDC token endpoint where authorization codes are not bound to the client that received them, enabling a rogue OIDC client to redeem another client's code and obtain access tokens for the affected user. This results in unauthorized token issuance, effectively allowing an attacker to access protected resources without the user's consent. The weakness is a form of Missing Authorization as identified by CWE‑863.

Affected Systems

The affected product is steveiliop56:Tinyauth, in all releases prior to version 5.0.3. Consequently, any deployment using Tinyauth 5.0.2 or earlier is vulnerable; version 5.0.3 and newer contain the fix.

Risk and Exploitability

The CVSS score is 6.5, indicating medium severity. EPSS shows less than 1% probability of exploitation, and the CVE is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability by sending token exchange requests to the public endpoint with a valid authorization code issued to another client. The attack vector is network based and does not require additional privileges beyond the ability to communicate with the token endpoint.

Generated by OpenCVE AI on March 19, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Tinyauth 5.0.3 update

Generated by OpenCVE AI on March 19, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xg2q-62g2-cvcm Tinyauth's OIDC authorization codes are not bound to client on token exchange
History

Thu, 19 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Tinyauth
Tinyauth tinyauth
CPEs cpe:2.3:a:tinyauth:tinyauth:*:*:*:*:*:*:*:*
Vendors & Products Tinyauth
Tinyauth tinyauth

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Steveiliop56
Steveiliop56 tinyauth
Vendors & Products Steveiliop56
Steveiliop56 tinyauth

Thu, 12 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never authorized their application. This violates RFC 6749 Section 4.1.3. This vulnerability is fixed in 5.0.3.
Title Tinyauth's OIDC authorization codes are not bound to client on token exchange
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N'}

Subscriptions

Steveiliop56 Tinyauth
Tinyauth Tinyauth
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:46:29.581Z

Reserved: 2026-03-11T14:47:05.685Z

Link: CVE-2026-32245

cve-icon Vulnrichment

Updated: 2026-03-12T20:43:40.642Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T19:16:19.413

Modified: 2026-03-19T20:46:39.793

Link: CVE-2026-32245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:54:59Z

Weaknesses