Description
Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.
Published: 2026-04-02
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking via OAuth Race Condition
Action: Apply Patch
AI Analysis

Impact

Tinyauth’s OAuth services keep PKCE verifiers and access tokens in mutable fields on singleton instances. When two users start an OAuth flow to the same provider at the same time, a competition between the VerifyCode() and Userinfo() functions can result in one user’s session pointing to the other user’s identity. This flaw allows one authenticated user to receive and use another user’s session, potentially granting access to data or actions that the attacker should not own. The weakness is classified as a race condition (CWE‑362).

Affected Systems

The affected component is the Tinyauth authentication server. All three OAuth service implementations—GenericOAuthService, GithubOAuthService, and GoogleOAuthService—are vulnerable in releases prior to version 5.0.5 of the application. The issue was addressed and fixed in the 5.0.5 release.

Risk and Exploitability

The CVSS score of 7.7 signals a high severity. The EPSS score of less than 1 % suggests exploitation is unlikely, and the vulnerability is not present in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the flaw remotely by initiating two OAuth login requests for the same provider at nearly the same time, without needing special privileges or additional configuration. The attack path is straightforward and only requires control over the OAuth endpoints used by legitimate users.

Generated by OpenCVE AI on April 7, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tinyauth to version 5.0.5 or newer.

Generated by OpenCVE AI on April 7, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9q5m-jfc4-wc92 Tinyauth has OAuth account confusion via shared mutable state on singleton service instances
History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Tinyauth
Tinyauth tinyauth
CPEs cpe:2.3:a:tinyauth:tinyauth:*:*:*:*:*:*:*:*
Vendors & Products Tinyauth
Tinyauth tinyauth

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Steveiliop56
Steveiliop56 tinyauth
Vendors & Products Steveiliop56
Steveiliop56 tinyauth

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.
Title Tinyauth has OAuth account confusion via shared mutable state on singleton service instances
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Steveiliop56 Tinyauth
Tinyauth Tinyauth
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T18:23:22.599Z

Reserved: 2026-03-20T18:05:11.832Z

Link: CVE-2026-33544

cve-icon Vulnrichment

Updated: 2026-04-03T18:23:17.190Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:39.553

Modified: 2026-04-07T12:44:36.127

Link: CVE-2026-33544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:40Z

Weaknesses