CVE-2026-33544

Published: Apr 02, 2026 Last Modified: Apr 02, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,7
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: low
User Interaction: required
Scope: changed
Confidentiality: high
Integrity: high
Availability: none

Description

AI Translation Available

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.

362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Confidentiality Integrity Access Control
Potential Impacts:
Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other) Dos: Crash, Exit, Or Restart Dos: Instability Read Files Or Directories Read Application Data Execute Unauthorized Code Or Commands Gain Privileges Or Assume Identity Bypass Protection Mechanism
Applicable Platforms
Languages: C, C++, Java
Technologies: Mobile, ICS/OT
Likelihood of Exploit: Medium
View CWE Details
https://github.com/steveiliop56/tinyauth/commit/f26c2171610…
https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd394…
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5
https://github.com/steveiliop56/tinyauth/security/advisorie…
https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92