Go modules package
github.com/steveiliop56/tinyauth
pkg:golang/github.com/steveiliop56/tinyauth
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33544 | Hig | 7.7 | < 1.0.1-0.20260401140714-fc1d4f2082a5 | 1.0.1-0.20260401140714-fc1d4f2082a5 | Apr 2, 2026 | Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared acro | |
| CVE-2026-32246 | — | < 1.0.1-20260311144920-9eb2d33064b7 | 1.0.1-20260311144920-9eb2d33064b7 | Mar 12, 2026 | Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP s | ||
| CVE-2026-32245 | — | < 1.0.1-20260311144920-9eb2d33064b7 | 1.0.1-20260311144920-9eb2d33064b7 | Mar 12, 2026 | Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization |
- affected < 1.0.1-0.20260401140714-fc1d4f2082a5fixed 1.0.1-0.20260401140714-fc1d4f2082a5
Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared acro
- CVE-2026-32246Mar 12, 2026affected < 1.0.1-20260311144920-9eb2d33064b7fixed 1.0.1-20260311144920-9eb2d33064b7
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP s
- CVE-2026-32245Mar 12, 2026affected < 1.0.1-20260311144920-9eb2d33064b7fixed 1.0.1-20260311144920-9eb2d33064b7
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization