What is CVE-2026-33544?

CVE-2026-33544 is a high-severity vulnerability in Steveiliop56 Tinyauth, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 7.7/10. Published 2026-04-02.

How severe is CVE-2026-33544?

High severity. CVSS v3 base score is 7.7 out of 10.

Vulnerability in Steveiliop56 Tinyauth

CVE-2026-33544

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct…

Vulnerability class: Race Condition

EPSS: 0.000 (7.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.7 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N.

Affected products

Steveiliop56 Tinyauth — versions < 5.0.5

Weakness classification (CWE)

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92 (x_refsource_CONFIRM)
https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803 (x_refsource_MISC)
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33544?: CVE-2026-33544 is a high-severity vulnerability in Steveiliop56 Tinyauth, classified under Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition). CVSS score: 7.7/10. Published 2026-04-02.
How severe is CVE-2026-33544?: High severity. CVSS v3 base score is 7.7 out of 10.