The vulnerability CVE-2026-32245 affects the tinyauth authentication and authorization server developed by steveiliop56, specifically versions prior to 5.0.3. Tinyauth implements OpenID Connect (OIDC) for authentication and authorization. The flaw lies in the OIDC token endpoint's failure to verify that the client exchanging an authorization code is the same client to which the code was originally issued. According to OAuth 2.0 standards (RFC 6749 Section 4.1.3), an authorization code must only be redeemable by the client that requested it. However, in affected versions, a malicious client operator can submit another client's authorization code along with their own client credentials to the token endpoint. This results in the issuance of access tokens and potentially ID tokens for users who never authorized the malicious client, effectively bypassing intended authorization controls. The vulnerability is categorized under CWE-863 (Incorrect Authorization), indicating a failure to enforce proper authorization checks. The CVSS v3.1 base score is 6.5 (medium severity), with attack vector being network (remote), attack complexity high, privileges required low, user interaction required, scope changed, and impacts low confidentiality loss, high integrity loss, and no availability impact. No public exploits are currently known. The issue was addressed and fixed in tinyauth version 5.0.3 by enforcing strict client verification during the authorization code exchange process.

This vulnerability can lead to unauthorized access tokens being issued to malicious clients, allowing them to impersonate users without their consent. The confidentiality of user data is moderately impacted since tokens grant access to user information. The integrity impact is high because attackers can perform actions on behalf of users, potentially modifying data or accessing sensitive resources. Availability is not affected. Organizations relying on tinyauth for OIDC authentication risk unauthorized access, data breaches, and potential compliance violations. The attack requires the attacker to have a valid client credential but does not require user interaction beyond the initial authorization code issuance. This could facilitate lateral movement or privilege escalation within environments using tinyauth. The lack of known exploits reduces immediate risk, but the vulnerability presents a significant threat if weaponized, especially in environments with multiple OIDC clients and sensitive user data.

The primary mitigation is to upgrade tinyauth to version 5.0.3 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should implement strict monitoring and logging of token endpoint requests to detect anomalous authorization code exchanges. Employ network segmentation and client credential management to limit exposure of client secrets. Review and audit all registered OIDC clients to ensure only trusted applications have access. Implement additional application-layer checks to verify client identity during token exchange if feasible. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious token exchange patterns. Educate developers and administrators about the importance of strict client verification in OAuth flows. Finally, conduct penetration testing focused on authorization code handling to identify any residual weaknesses.