Description
Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.
Published: 2026-04-02
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: Unauthorized session impersonation
Action: Immediate Patch
AI Analysis

Impact

Tinyauth is an authentication server that stores OAuth PKCE verifiers and access tokens in mutable fields on singleton service instances. A race condition between VerifyCode() and Userinfo() during concurrent logins can cause one user to receive the session token belonging to another user. This results in unauthorized access and session impersonation, allowing an attacker to act with another user's privileges.

Affected Systems

The vulnerability affects all versions of Tinyauth prior to release 5.0.5, including the GenericOAuthService, GithubOAuthService and GoogleOAuthService implementations. Any deployment of these services that has not been upgraded to 5.0.5 is potentially exploitable.

Risk and Exploitability

The vulnerability has a CVSS score of 7.7, indicating high severity. Although exact exploitability statistics are not available and the issue is not listed in the KEV catalog, the attack vector requires only parallel OAuth login attempts, which can be performed remotely by any authenticated or unauthenticated user. An attacker exploiting this race condition can impersonate another user or gain unauthorized access to resources, representing a significant risk to confidentiality and integrity.

Generated by OpenCVE AI on April 2, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tinyauth to version 5.0.5 or later
  • If an upgrade is not immediately feasible, restrict concurrent OAuth login attempts or isolate service instances to mitigate the race condition

Generated by OpenCVE AI on April 2, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9q5m-jfc4-wc92 Tinyauth has OAuth account confusion via shared mutable state on singleton service instances
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Steveiliop56
Steveiliop56 tinyauth
Vendors & Products Steveiliop56
Steveiliop56 tinyauth

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.
Title Tinyauth has OAuth account confusion via shared mutable state on singleton service instances
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Steveiliop56 Tinyauth
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:00:38.450Z

Reserved: 2026-03-20T18:05:11.832Z

Link: CVE-2026-33544

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:39.553

Modified: 2026-04-02T15:16:39.553

Link: CVE-2026-33544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:13Z

Weaknesses