CVE-2026-32245
📋 TL;DR
This vulnerability allows malicious OIDC client operators to exchange authorization codes issued to other clients, obtaining access tokens for users who never authorized their applications. This affects all Tinyauth servers running versions prior to 5.0.3 that use OIDC authentication. Attackers can impersonate users and access protected resources without proper authorization.
💻 Affected Systems
- Tinyauth
📦 What is this software?
Tinyauth by Tinyauth
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to user accounts and sensitive data across multiple applications, potentially leading to data breaches, account takeover, and privilege escalation.
Likely Case
Malicious OIDC clients steal user tokens to access protected resources in applications they shouldn't have access to, compromising user privacy and application security.
If Mitigated
With proper network segmentation and client validation, impact is limited to specific applications, but still represents a serious authentication bypass.
🎯 Exploit Status
Exploitation requires attacker to operate a malicious OIDC client application and have network access to the Tinyauth server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.3
Vendor Advisory: https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-xg2q-62g2-cvcm
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download Tinyauth 5.0.3 from GitHub releases. 3. Stop Tinyauth service. 4. Replace binary with patched version. 5. Restart Tinyauth service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable OIDC endpoint
allTemporarily disable OIDC authentication if not required
Edit Tinyauth config to remove OIDC provider settings
Restart Tinyauth service
Network isolation
allRestrict access to OIDC token endpoint to trusted clients only
Configure firewall rules to limit access to /oauth/token endpoint
Implement IP whitelisting for OIDC clients
🧯 If You Can't Patch
- Implement additional client validation at application layer before accepting tokens
- Monitor OIDC token exchanges for suspicious patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Tinyauth version: if version < 5.0.3 and OIDC is enabled, system is vulnerableCheck Version:
tinyauth --versionVerify Fix Applied:
Verify version is 5.0.3 or higher and test OIDC flow with multiple clients to ensure proper client validation📡 Detection & Monitoring
Log Indicators:
- Multiple authorization code exchanges from same IP for different client IDs
- Authorization codes being used by different clients than originally issued to
- Unusual token issuance patterns
Network Indicators:
- HTTP POST requests to /oauth/token endpoint with mismatched client_id and authorization code
- High volume of token requests from single source
SIEM Query:
source="tinyauth" AND (message="token exchange" OR message="authorization_code") | stats count by client_id, src_ip | where count > threshold