High severityNVD Advisory· Published Mar 12, 2026· Updated Mar 12, 2026
Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint
CVE-2026-32246
Description
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/steveiliop56/tinyauthGo | < 1.0.1-20260311144920-9eb2d33064b7 | 1.0.1-20260311144920-9eb2d33064b7 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/steveiliop56/tinyauthpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.0.1-20260311144920-9eb2d33064b7+ 1 more
- (no CPE)range: < 1.0.1-20260311144920-9eb2d33064b7
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
- steveiliop56/tinyauthv5Range: < 5.0.3
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-3q28-qjrv-qr39ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32246ghsaADVISORY
- github.com/steveiliop56/tinyauth/releases/tag/v5.0.3ghsaWEB
- github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.