CVE-2026-32246
📋 TL;DR
This vulnerability allows attackers who know a user's password but not their TOTP secret to bypass multi-factor authentication in Tinyauth. By exploiting the OIDC authorization endpoint, they can obtain valid authorization codes and OIDC tokens while the user's session is in a TOTP-pending state. All Tinyauth users with MFA enabled are affected.
💻 Affected Systems
- Tinyauth
📦 What is this software?
Tinyauth by Tinyauth
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover for any user where the attacker knows the password, allowing unauthorized access to all connected applications using Tinyauth for authentication.
Likely Case
Targeted attacks against high-value accounts where passwords are compromised through phishing or credential stuffing, leading to unauthorized access to sensitive systems.
If Mitigated
Limited impact if strong password policies, account lockouts, and monitoring are in place, though MFA bypass still represents a significant security failure.
🎯 Exploit Status
Exploitation requires knowledge of a valid user password but not their TOTP secret. The attack is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.3
Vendor Advisory: https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39
Restart Required: Yes
Instructions:
1. Backup your Tinyauth configuration and database. 2. Stop the Tinyauth service. 3. Update to version 5.0.3 using your package manager or by downloading from the official repository. 4. Restart the Tinyauth service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable OIDC endpoint temporarily
allTemporarily disable the OIDC authorization endpoint until patching can be completed.
# Edit Tinyauth configuration to disable OIDC
# Set 'oidc.enabled = false' in config file
Enforce session timeout for TOTP-pending states
allConfigure very short timeout periods for sessions in TOTP-pending state to limit attack window.
# Set 'totp.pending_timeout = 60' in config (seconds)
🧯 If You Can't Patch
- Implement network-level controls to restrict access to the OIDC endpoint to trusted IP ranges only.
- Enable enhanced logging and monitoring for authentication attempts, particularly focusing on TOTP-pending state transitions.
🔍 How to Verify
Check if Vulnerable:
Check if your Tinyauth version is below 5.0.3 and OIDC with TOTP MFA is enabled.Check Version:
tinyauth --versionVerify Fix Applied:
After updating to 5.0.3, verify that TOTP-pending sessions cannot obtain OIDC authorization codes by testing the authentication flow.📡 Detection & Monitoring
Log Indicators:
- Multiple authentication attempts from same IP with successful password but failed TOTP
- OIDC authorization codes issued to sessions in TOTP-pending state
- Unusual patterns of OIDC token requests
Network Indicators:
- Unusual volume of requests to /oidc/authorize endpoint
- Requests to OIDC endpoint followed by immediate token requests without TOTP completion
SIEM Query:
source="tinyauth" AND (event="oidc_authorize" AND status="success" AND totp_state="pending")