CVE-2026-32246
Published: 12 March 2026
Summary
CVE-2026-32246 is a high-severity Improper Authentication (CWE-287) vulnerability in Tinyauth Tinyauth. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the authentication bypass flaw in Tinyauth's OIDC endpoint, directly resolving the vulnerability as fixed in version 5.0.3.
Mandates management of multi-factor authenticators with sufficient strength to resist bypass attacks exploiting TOTP-pending session states.
Requires selection and monitoring of trustworthy authorization servers like Tinyauth to mitigate risks in OIDC flows that allow password-only token issuance.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote auth bypass in public OIDC endpoint directly enables T1190 exploitation; obtained codes/tokens allow abuse of valid accounts and application access tokens while bypassing MFA.
NVD Description
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their…
more
TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.
Deeper analysisAI
CVE-2026-32246 is a high-severity authentication bypass vulnerability (CVSS 3.1 score of 8.5) affecting Tinyauth, an open-source authentication and authorization server. In versions prior to 5.0.3, the OpenID Connect (OIDC) authorization endpoint improperly permits users in a TOTP-pending session state—where password verification has succeeded but TOTP completion is pending—to obtain valid authorization codes. This flaw, linked to CWE-287 (Improper Authentication), enables circumvention of the second authentication factor.
An attacker with knowledge of a legitimate user's password, but without the TOTP secret, can exploit this vulnerability remotely over the network with low complexity and low privileges (PR:L). By initiating an authentication flow with the stolen password and immediately requesting an authorization code at the OIDC endpoint before TOTP verification, the attacker receives a valid code. This can be exchanged for OIDC tokens, granting unauthorized access to protected resources and fully bypassing multi-factor authentication.
The Tinyauth security advisory (GHSA-3q28-qjrv-qr39) confirms the issue is resolved in version 5.0.3, recommending immediate upgrades for all prior installations. No additional mitigations are specified beyond patching, as the vulnerability stems from flawed session handling in the OIDC flow.
Details
- CWE(s)