CVE-2026-32246

Published: Mar 12, 2026 Last Modified: Mar 12, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,5

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: changed

Confidentiality: low

Integrity: high

Availability: none

Description

AI Translation Available

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.

287

Improper Authentication

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability Access Control

Potential Impacts:

Read Application Data Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands

Applicable Platforms

Technologies: ICS/OT, Not Technology-Specific, Web Based

Likelihood of Exploit: High

View CWE Details

https://github.com/steveiliop56/tinyauth/security/advisorie…

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39

CVE-2026-32246

Description

Improper Authentication

Common Consequences

Applicable Platforms

Iscriviti alla newsletter