CVE-2026-33544

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.7 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N                                    

Vulnerability Description

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.

Vulnerability Details

Published Date

April 01, 2026

Last Modified

April 07, 2026

CWE ID

CWE-362

Source

GitHub

Vendor

Product

github.com/steveiliop56/tinyauth

External References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92
https://github.com/advisories/GHSA-9q5m-jfc4-wc92

CVE-2026-33544

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment