CVE-2026-32246

Name of the Vulnerable Software and Affected Versions Tinyauth versions prior to 5.0.3

Description Tinyauth is an authentication and authorization server. The OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. The issue occurs because the OIDC authorize handler does not check if a user is fully logged in or if TOTP is pending, unlike the proxy controller which correctly blocks incomplete sessions. Specifically, the handler proceeds to issue an authorization code using the username from the incomplete session. This allows an attacker to exchange the code for tokens, gaining access without completing TOTP authentication. The vulnerability affects all downstream applications relying on tinyauth’s OIDC provider for authentication.

Recommendations Update Tinyauth to version 5.0.3 or later.