The vulnerability exists in Tinyauth versions prior to 5.0.3 where the OIDC authorization endpoint will return an authorization code if a user has entered a valid password but has not yet completed the TOTP step. The attacker can therefore obtain OIDC tokens without the second factor. This is a CWE‑287 Authentication Bypass Vulnerability that can give the attacker unauthorized access to protected APIs and resources, compromising confidentiality and integrity.

Affected vendor: steveiliop56; product: Tinyauth. All releases of the product with a version less than 5.0.3 are impacted. The provided CPE string cpe:2.3:a:tinyauth:tinyauth:* indicates that any instance of the software older than 5.0.3 satisfies the affected scope.

The CVSS score of 8.5 indicates high severity. The EPSS score is below 1 %, implying a low short‑term likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a remote, network‑based request to the OIDC authorize endpoint and requires the attacker to know a legitimate user’s password. No local privileges are required. The exploitation chain consists of an OIDC authorization request for a session that is TOTP‑pending; the server erroneously issues the authorization code, which the attacker can redeem for access tokens. The attack does not depend on device compromise, so the breach scope can affect any user authenticated through the affected server.