What is CVE-2026-32245?

CVE-2026-32245 is a medium-severity vulnerability in Steveiliop56 Tinyauth, classified under Incorrect Authorization. CVSS score: 6.5/10. Published 2026-03-12.

How severe is CVE-2026-32245?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Auth bypass in Steveiliop56 Tinyauth

CVE-2026-32245

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator ca…

Vulnerability class: Broken Access Control

EPSS: 0.001 (17.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N.

Affected products

Steveiliop56 Tinyauth — versions < 5.0.3

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-xg2q-62g2-cvcm (x_refsource_CONFIRM)
https://github.com/steveiliop56/tinyauth/commit/b2a1bfb1f532e87f205fa3afa3fc9f148c53ab89 (x_refsource_MISC)
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.3 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-32245?: CVE-2026-32245 is a medium-severity vulnerability in Steveiliop56 Tinyauth, classified under Incorrect Authorization. CVSS score: 6.5/10. Published 2026-03-12.
How severe is CVE-2026-32245?: Medium severity. CVSS v3 base score is 6.5 out of 10.