Description

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never authorized their application. This violates RFC 6749 Section 4.1.3. This vulnerability is fixed in 5.0.3.

INFO

Published Date :

2026-03-12T18:57:51.330Z

Last Modified :

2026-03-12T20:46:29.581Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32245 vulnerability.

Vendors Products
Steveiliop56
  • Tinyauth
Tinyauth
  • Tinyauth
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32245.

URL Resource
https://github.com/steveiliop56/tinyauth/commit/b2a1bfb1f532e87f205fa3afa3fc9f148c53ab89 cve-icon cve-icon
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.3 cve-icon cve-icon
https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-xg2q-62g2-cvcm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact