CVE-2026-32245

Name of the Vulnerable Software and Affected Versions Tinyauth versions prior to 5.0.3

Description Tinyauth is an authentication and authorization server. The OIDC token endpoint does not verify that the client exchanging an authorization code is the same client to which the code was originally issued. This allows a malicious OIDC client operator to exchange another client's authorization code using their own credentials, potentially obtaining tokens for users who did not authorize their application. This violates RFC 6749 Section 4.1.3. The issue occurs during token exchange at the /api/oidc/token endpoint, where the ClientID stored with the authorization code is not compared against the requesting client's ID (creds.ClientID). The vulnerable parameter is the code parameter in the token exchange request.

Recommendations Update Tinyauth to version 5.0.3 or later.