CVE-2026-32245

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32245

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32245.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32245

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-12T18:57:51.330Z

Modified

2026-04-02T13:24:28.498102Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N CVSS Calculator

Summary

Tinyauth's OIDC authorization codes are not bound to client on token exchange

Details

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never authorized their application. This violates RFC 6749 Section 4.1.3. This vulnerability is fixed in 5.0.3.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32245.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Git / github.com/steveiliop56/tinyauth

Affected ranges

Type: GIT
Repo: https://github.com/steveiliop56/tinyauth
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9eb2d33064b780fc24ac343101b50a69414fa7cb

Affected versions

v0.*

v0.1.0

v0.1.0-beta.1

v0.2.0

v0.2.0-beta.1

v0.3.0

v0.3.0-beta.1

v0.3.0-beta.2

v0.3.0-beta.3

v1.*

v1.0.0

v1.0.0-alpha.1

v1.0.0-beta.1

v1.0.0-beta.2

v1.0.0-beta.3

v2.*

v2.0.0

v2.0.0-alpha.1

v2.0.0-beta.1

v2.0.1

v2.0.2

v2.0.2-beta.1

v2.0.2-beta.2

v2.1.0

v2.1.0-alpha.1

v2.1.0-alpha.2

v2.1.1

v2.1.1-beta.1

v3.*

v3.0.0

v3.0.0-alpha.1

v3.0.0-alpha.2

v3.0.0-alpha.3

v3.0.0-alpha.4

v3.0.0-beta.1

v3.0.0-beta.2

v3.0.1

v3.0.1-beta.1

v3.1.0

v3.1.0-alpha.1

v3.1.0-beta.1

v3.1.0-beta.2

v3.1.0-exp.1

v3.1.0-exp.2

v3.1.0-exp.3

v3.2.0

v3.2.0-alpha.1

v3.2.0-beta.1

v3.2.0-beta.2

v3.2.0-beta.3

v3.2.0-beta.4

v3.2.0-beta.5

v3.2.0-beta.6

v3.2.1

v3.2.1-beta.1

v3.3.0

v3.3.0-alpha.1

v3.3.0-alpha.2

v3.3.0-alpha.3

v3.3.1

v3.3.1-beta.1

v3.4.0

v3.4.0-alpha.1

v3.4.0-beta.1

v3.4.0-beta.2

v3.4.1

v3.4.1-beta.1

v3.5.0

v3.5.0-alpha.1

v3.5.0-alpha.2

v3.6.0

v3.6.0-beta.1

v3.6.0-beta.2

v3.6.1

v3.6.1-beta.1

v3.6.1-beta.2

v3.6.1-beta.3

v3.6.2

v3.6.2-beta.1

v3.6.2-beta.2

v3.6.2-beta.3

v3.6.2-beta.4

v4.*

v4.0.0

v4.0.0-alpha.1

v4.0.0-alpha.2

v4.0.0-beta.1

v4.0.0-beta.2

v4.0.0-beta.3

v4.0.0-rc.1

v4.0.1

v4.0.1-beta.1

v4.0.1-beta.2

v4.1.0

v4.1.0-beta.1

v4.1.0-rc.1

v4.1.0-rc.2

v5.*

v5.0.0

v5.0.0-alpha.1

v5.0.0-alpha.2

v5.0.0-alpha.3

v5.0.0-alpha.4

v5.0.0-alpha.5

v5.0.0-beta.1

v5.0.0-beta.2

v5.0.0-beta.3

v5.0.0-beta.4

v5.0.0-rc.1

v5.0.0-rc.2

v5.0.1

v5.0.1-beta.1

v5.0.1-rc.1

v5.0.2

v5.0.2-beta.1

v5.0.2-beta.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32245.json"