CVE-2026-33544
Published: 02 April 2026
Summary
CVE-2026-33544 is a high-severity Race Condition (CWE-362) vulnerability in Tinyauth Tinyauth. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the race condition by requiring timely remediation through patching to Tinyauth version 5.0.5, which fixes the shared mutable state issue.
Prevents unauthorized information transfer via shared system resources, such as the mutable PKCE verifiers and access tokens in singleton instances across concurrent requests.
Requires identity providers and authorization servers like Tinyauth to meet organization-defined security requirements for handling concurrent OAuth flows without race-induced identity mix-ups.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Race condition in shared OAuth PKCE/token state on Tinyauth server directly enables remote exploitation of the auth application (T1190) to achieve token mixing/impersonation (T1134.001) and subsequent access under valid user identities (T1078).
NVD Description
Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users…
more
initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.
Deeper analysisAI
CVE-2026-33544 is a race condition vulnerability (CWE-362) affecting Tinyauth, an authentication and authorization server, in versions prior to 5.0.5. The flaw resides in all three OAuth service implementations—GenericOAuthService, GithubOAuthService, and GoogleOAuthService—which store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. This design triggers a race condition between the VerifyCode() and Userinfo() functions during concurrent OAuth login flows for the same provider, published on 2026-04-02.
The vulnerability requires an attacker with low privileges (PR:L) to exploit it over the network (AV:N) under high attack complexity (AC:H) and with user interaction (UI:R). By timing two users' OAuth login initiations for the same provider concurrently, the attacker can cause one legitimate user to receive a session bound to the other user's identity, enabling potential account takeover or impersonation. This yields high confidentiality and integrity impacts (C:H/I:H) with a changed scope (S:C), resulting in a CVSS v3.1 base score of 7.7.
Mitigation is available via upgrade to Tinyauth version 5.0.5, which patches the race condition. Details are provided in the GitHub security advisory (GHSA-9q5m-jfc4-wc92), release notes for v5.0.5, and the fixing commit (f26c2171610d5c2dfbba2edb6ccd39490e349803).
Details
- CWE(s)