CVE-2026-33544

Name of the Vulnerable Software and Affected Versions Tinyauth versions prior to 5.0.5

Description Tinyauth is an authentication and authorization server. The GenericOAuthService, GithubOAuthService, and GoogleOAuthService implementations store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across concurrent requests. A race condition between VerifyCode() and Userinfo() allows one user to receive a session with another user's identity when two users initiate OAuth login for the same provider concurrently. The OAuthBrokerService.GetService() function returns a single shared instance per provider for every request. The OAuth flow stores intermediate state as struct fields on this singleton. Specifically, the token and verifier fields are shared mutable fields. In the callback handler, the VerifyCode() function stores the token on the singleton, and a subsequent call to GetUser() reads the token from the singleton. Between these calls, a concurrent request's VerifyCode() can overwrite the token field, causing GetUser() and Userinfo() to fetch the incorrect user's identity claims. This issue also causes a denial-of-service due to PKCE verifier overwrites, leading to failed OAuth logins.

Recommendations Update Tinyauth to version 5.0.5 or later.