DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32246: CVE-2026-32246: TOTP Authentication Bypass in Tinyauth OIDC Controller

#security #cve #cybersecurity

CVE-2026-32246: TOTP Authentication Bypass in Tinyauth OIDC Controller

Vulnerability ID: CVE-2026-32246
CVSS Score: 8.5
Published: 2026-03-12

Tinyauth prior to version 5.0.3 contains a high-severity authentication bypass vulnerability in its OpenID Connect (OIDC) controller. The application fails to properly validate the multi-factor authentication (MFA) state of a user session before issuing OIDC authorization codes. An attacker with possession of a valid primary credential (password) can bypass the Time-based One-Time Password (TOTP) requirement, extract identity tokens, and gain unauthorized access to downstream services relying on Tinyauth for authentication.

TL;DR

A logic flaw in Tinyauth's OIDC implementation allows attackers with valid primary credentials to bypass TOTP multi-factor authentication and obtain full identity tokens for downstream applications.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-287, CWE-306
  • Attack Vector: Network
  • CVSS Base Score: 8.5 (High)
  • Privileges Required: Low (Valid Password)
  • Impact: Authentication Bypass, Unauthorized Access
  • Exploit Status: PoC Publicly Described
  • CISA KEV: Not Listed

Affected Systems

  • Tinyauth Authentication Server (< 5.0.3)
  • Applications relying on Tinyauth for OIDC federation
  • Tinyauth: < 5.0.3 (Fixed in: 5.0.3)

Code Analysis

Commit: f1e869a

Primary fix: Enforce IsLoggedIn check in OIDC controller

Commit: b2a1bfb

Secondary hardening: Deny Basic Auth for TOTP users and validate Client ID

Mitigation Strategies

  • Upgrade Tinyauth server to patched version 5.0.3.
  • Implement monitoring for suspicious OIDC authorization requests bypassing TOTP endpoints.
  • Audit existing user sessions and revoke anomalous tokens.

Remediation Steps:

  1. Download the latest release (v5.0.3) from the official Tinyauth repository.
  2. Deploy the updated binary or container image to the authentication infrastructure.
  3. Restart the Tinyauth service to apply the modified state validation logic.
  4. Query access logs to identify authorization grants lacking preceding TOTP validations.
  5. Revoke access and refresh tokens for any identities suspected of being compromised via this bypass.

References

Read the full report for CVE-2026-32246 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)