{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33544", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.832Z", "datePublished": "2026-04-02T15:00:38.450Z", "dateUpdated": "2026-04-03T18:23:22.599Z"}, "containers": {"cna": {"title": "Tinyauth has OAuth account confusion via shared mutable state on singleton service instances", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92"}, {"name": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803", "tags": ["x_refsource_MISC"], "url": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803"}, {"name": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5"}], "affected": [{"vendor": "steveiliop56", "product": "tinyauth", "versions": [{"version": "< 5.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T15:00:38.450Z"}, "descriptions": [{"lang": "en", "value": "Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5."}], "source": {"advisory": "GHSA-9q5m-jfc4-wc92", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T18:23:11.795622Z", "id": "CVE-2026-33544", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T18:23:22.599Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33544", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T18:23:11.795622Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T18:23:17.190Z"}}], "cna": {"title": "Tinyauth has OAuth account confusion via shared mutable state on singleton service instances", "source": {"advisory": "GHSA-9q5m-jfc4-wc92", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "steveiliop56", "product": "tinyauth", "versions": [{"status": "affected", "version": "< 5.0.5"}]}], "references": [{"url": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92", "name": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803", "name": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5", "name": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T15:00:38.450Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33544", "state": "PUBLISHED", "dateUpdated": "2026-04-03T18:23:22.599Z", "dateReserved": "2026-03-20T18:05:11.832Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T15:00:38.450Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tinyauth:tinyauth:*:*:*:*:*:*:*:*", "matchCriteriaId": "4087737A-5C88-47C1-BD17-FFAF32802EA6", "versionEndExcluding": "5.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5."}], "id": "CVE-2026-33544", "lastModified": "2026-04-07T12:44:36.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T15:16:39.553", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "tinyauth", "source": "cna", "vendor": "steveiliop56"}, "product": "tinyauth", "vendor": "steveiliop56"}], "analysis": {"en": {"generated_at": "2026-04-07T20:22:13.744757+00:00", "value": {"mitigation_remediation": ["Upgrade Tinyauth to version 5.0.5 or newer."], "summary": {"action": "Apply Patch", "impact": "Session Hijacking via OAuth Race Condition"}, "threat_synthesis": {"affected_systems": "The affected component is the Tinyauth authentication server. All three OAuth service implementations\u2014GenericOAuthService, GithubOAuthService, and GoogleOAuthService\u2014are vulnerable in releases prior to version 5.0.5 of the application. The issue was addressed and fixed in the 5.0.5 release.", "description_and_impact": "Tinyauth\u2019s OAuth services keep PKCE verifiers and access tokens in mutable fields on singleton instances. When two users start an OAuth flow to the same provider at the same time, a competition between the VerifyCode() and Userinfo() functions can result in one user\u2019s session pointing to the other user\u2019s identity. This flaw allows one authenticated user to receive and use another user\u2019s session, potentially granting access to data or actions that the attacker should not own. The weakness is classified as a race condition (CWE\u2011362).", "risk_and_exploitability": "The CVSS score of 7.7 signals a high severity. The EPSS score of less than 1\u202f% suggests exploitation is unlikely, and the vulnerability is not present in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the flaw remotely by initiating two OAuth login requests for the same provider at nearly the same time, without needing special privileges or additional configuration. The attack path is straightforward and only requires control over the OAuth endpoints used by legitimate users."}}}}, "created": "2026-04-02T20:11:32.362075+00:00", "updated": "2026-04-08T19:55:40.645773+00:00", "vendors": ["steveiliop56", "steveiliop56$PRODUCT$tinyauth"]}