← Back

CVE-2026-32246

nvd nist
Published: Mar 12, 2026Modified: Mar 19, 2026

JSON object

Loading...
7.1
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Exploitability: 2.8 / Impact: 4.2
Source: NVD

Description

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.

Affected (1)

Products: Tinyauth: Tinyauth
Tinyauth
1 product
Tinyauth
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Tinyauth
Up to 5.0.2

Related CWEs

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (1)

Source: security-advisories@github.com
ExploitThird Party Advisory

Timeline

No history available yet.