CVE-2026-32245: OIDC Authorization Code Grant Client Impersonation in Tinyauth
Vulnerability ID: CVE-2026-32245
CVSS Score: 6.5
Published: 2026-03-12
Tinyauth versions prior to 5.0.3 contain an incorrect authorization vulnerability in the OpenID Connect (OIDC) token endpoint. The server fails to verify that the client attempting to exchange an authorization code matches the client to which the code was originally issued, violating RFC 6749 Section 4.1.3.
TL;DR
An authentication flaw in Tinyauth (< 5.0.3) allows a malicious OIDC client to exchange a stolen authorization code intended for another client, leading to unauthorized token generation and user impersonation.
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS Score: 6.5
- Impact: Client Impersonation / Privilege Escalation
- Exploit Status: Unexploited
- KEV Status: Not Listed
Affected Systems
- Tinyauth OIDC Server
-
tinyauth: < 5.0.3 (Fixed in:
5.0.3)
Code Analysis
Commit: b2a1bfb
Fix OIDC client impersonation vulnerability by enforcing client ID validation in token exchange
Mitigation Strategies
- Upgrade Tinyauth to version 5.0.3 or later
- Enforce Proof Key for Code Exchange (PKCE) on all registered clients
- Audit and remove inactive or unrecognized OIDC clients
Remediation Steps:
- Review current Tinyauth deployment version.
- Download version 5.0.3 from the official repository.
- Deploy the updated binary and restart the authentication service.
- Verify that log output does not indicate systemic authorization code interception.
References
- GHSA-xg2q-62g2-cvcm Advisory
- Fix Commit b2a1bfb1f532e87f205fa3afa3fc9f148c53ab89
- RFC 6749 Section 4.1.3 (OAuth 2.0)
Read the full report for CVE-2026-32245 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)