{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33544", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.832Z", "datePublished": "2026-04-02T15:00:38.450Z", "dateUpdated": "2026-04-02T15:00:38.450Z"}, "containers": {"cna": {"title": "Tinyauth has OAuth account confusion via shared mutable state on singleton service instances", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92"}, {"name": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803", "tags": ["x_refsource_MISC"], "url": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803"}, {"name": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5"}], "affected": [{"vendor": "steveiliop56", "product": "tinyauth", "versions": [{"version": "< 5.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T15:00:38.450Z"}, "descriptions": [{"lang": "en", "value": "Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5."}], "source": {"advisory": "GHSA-9q5m-jfc4-wc92", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5."}], "id": "CVE-2026-33544", "lastModified": "2026-04-02T15:16:39.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T15:16:39.553", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803"}, {"source": "security-advisories@github.com", "url": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "tinyauth", "source": "cna", "vendor": "steveiliop56"}, "product": "tinyauth", "vendor": "steveiliop56"}], "analysis": {"en": {"generated_at": "2026-04-02T16:21:24.882797+00:00", "value": {"mitigation_remediation": ["Upgrade Tinyauth to version 5.0.5 or later", "If an upgrade is not immediately feasible, restrict concurrent OAuth login attempts or isolate service instances to mitigate the race condition"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized session impersonation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of Tinyauth prior to release 5.0.5, including the GenericOAuthService, GithubOAuthService and GoogleOAuthService implementations. Any deployment of these services that has not been upgraded to 5.0.5 is potentially exploitable.", "description_and_impact": "Tinyauth is an authentication server that stores OAuth PKCE verifiers and access tokens in mutable fields on singleton service instances. A race condition between VerifyCode() and Userinfo() during concurrent logins can cause one user to receive the session token belonging to another user. This results in unauthorized access and session impersonation, allowing an attacker to act with another user's privileges.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.7, indicating high severity. Although exact exploitability statistics are not available and the issue is not listed in the KEV catalog, the attack vector requires only parallel OAuth login attempts, which can be performed remotely by any authenticated or unauthenticated user. An attacker exploiting this race condition can impersonate another user or gain unauthorized access to resources, representing a significant risk to confidentiality and integrity."}}}}, "created": "2026-04-02T20:11:32.362075+00:00", "updated": "2026-04-02T20:20:13.835423+00:00", "vendors": ["steveiliop56", "steveiliop56$PRODUCT$tinyauth"]}