Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.
References
| Link | Resource |
|---|---|
| https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803 | Patch |
| https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5 | Product Release Notes |
| https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92 | Exploit Mitigation Vendor Advisory |
Configurations
History
07 Apr 2026, 12:44
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Tinyauth tinyauth
Tinyauth |
|
| CPE | cpe:2.3:a:tinyauth:tinyauth:*:*:*:*:*:*:*:* | |
| References | () https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803 - Patch | |
| References | () https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5 - Product, Release Notes | |
| References | () https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92 - Exploit, Mitigation, Vendor Advisory |
02 Apr 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-02 15:16
Updated : 2026-04-07 12:44
NVD link : CVE-2026-33544
Mitre link : CVE-2026-33544
CVE.ORG link : CVE-2026-33544
JSON object : View
Products Affected
tinyauth
- tinyauth
CWE
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')