VYPR
High severityNVD Advisory· Published Mar 12, 2026· Updated Mar 12, 2026

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

CVE-2026-32246

Description

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/steveiliop56/tinyauthGo
< 1.0.1-20260311144920-9eb2d33064b71.0.1-20260311144920-9eb2d33064b7

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.