CVE-2026-33544 in tinyauthinfo

Zusammenfassung (Englisch)

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Zuständig

GitHub_M

Reservieren

20.03.2026

Veröffentlichung

02.04.2026

Status

Bestätigt

Einträge

VulDB provides additional information and datapoints for this CVE:

ID	Schwachstelle	CWE	Aus	Mas	CVE
354890	steveiliop56 tinyauth GenericOAuthService VerifyCode Race Condition	362	Nicht definiert	Offizieller Fix	CVE-2026-33544

Beschreibung

CPE

CWE

CVSS

Exploits

History

Diff

Verknüpfen

Threat Intelligence

API JSON

API XML

API CSV

Quellen

◂ ZurückÜbersichtWeiter ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!