Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint
Description
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tinyauth (CVE-2026-32246) OIDC authorization endpoint issue authorization codes to TOTP-pending sessions, letting an attacker with a password bypass second-factor.
Root
Cause
The OIDC authorization endpoint in Tinyauth prior to version 5.0.3 fails to check whether a user has completed their TOTP (time-based one-time password) second factor. The authorize handler at internal/controller/oidc_controller.go:105-116 only verifies that a user context exists via utils.GetContext(c). For sessions where the password has been validated but TOTP is still pending, the context middleware (internal/middleware/context_middleware.go:56-66) populates a user context with the username but sets TotpPending: true and does not set IsLoggedIn [2]. Because the OIDC handler does not examine IsLoggedIn or TotpPending, it proceeds to issue an authorization code for the incomplete session [2].
Exploitation
An attacker who knows a victim's password but does not possess their TOTP secret can complete the login step (via POST /api/user/login) to obtain a session cookie with a session cookie marked as TOTP-pending. Using that cookie, the attacker sends a request to the OIDC authorization endpoint (POST /api/oidc/authorize) at http. The endpoint returns an authorization code linked to the victim's identity [2]. The attacker then exchanges this code at POST /api/oidc/token` for a valid access token and ID token,fully bypassing the TOTP second factor [1][2]. No additional authentication or network position is required beyond the ability to reach the login and OIDC endpoints.
Impact
Successful exploitation allows an attacker to obtain valid OIDC tokens for any user who has TOTP enabled. This effectively defeats the two-factor authentication, granting the attacker the same access and access and authorization tokens as if they had completed TOTP [1]. The integrity of the authentication system is compromised, enabling unauthorized access to applications or resources protected by Tinyauth's OIDC [2].
Mitigation
The vulnerability is fixed in Tinyauth version 5.0.3 [1][2][4]. The patch adds appropriate checks for IsLoggedIn and TotpPending in the OIDC authorize handler, mirroring the guard already present in the proxy controller that already blocked TOTP-incomplete sessions [2]. Users should upgrade to v5.0.3 or later immediately; no workaround is documented for versions prior to this fix [2][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/steveiliop56/tinyauthGo | < 1.0.1-20260311144920-9eb2d33064b7 | 1.0.1-20260311144920-9eb2d33064b7 |
Affected products
2- steveiliop56/tinyauthv5Range: < 5.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3q28-qjrv-qr39ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32246ghsaADVISORY
- github.com/steveiliop56/tinyauth/releases/tag/v5.0.3ghsaWEB
- github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.