CVE-2026-32245

Published: Mar 12, 2026Modified: Mar 19, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Exploitability: 2.2 / Impact: 4.2

Source: NVD

Description

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never authorized their application. This violates RFC 6749 Section 4.1.3. This vulnerability is fixed in 5.0.3.

Affected (1)

Products: Tinyauth: Tinyauth

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Tinyauth Tinyauth	Up to 5.0.2

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (3)

https://github.com/steveiliop56/tinyauth/commit/b2a1bfb1f532e87f205fa3afa3fc9f148c53ab89

Source: security-advisories@github.com

Patch

https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.3

Source: security-advisories@github.com

Release Notes

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-xg2q-62g2-cvcm

Source: security-advisories@github.com

ExploitThird Party Advisory

Timeline

No history available yet.