CVE-2026-33544: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in steveiliop56 tinyauth
Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.
AI Analysis
Technical Summary
Tinyauth versions before 5.0.5 contain a race condition (CWE-362) in their OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService). These services store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login concurrently for the same provider, a race condition between VerifyCode() and Userinfo() functions can cause session identity crossover, allowing one user to receive another user's session. This vulnerability has been addressed and fixed in version 5.0.5.
Potential Impact
Successful exploitation of this vulnerability can lead to a user receiving a session associated with another user's identity, resulting in high confidentiality and integrity impact. This could allow unauthorized access to another user's account or data. Availability is not affected. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade tinyauth to version 5.0.5 or later, where this race condition vulnerability has been patched. No other mitigation is required as the fix is available and official.
CVE-2026-33544: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in steveiliop56 tinyauth
Description
Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Tinyauth versions before 5.0.5 contain a race condition (CWE-362) in their OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService). These services store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login concurrently for the same provider, a race condition between VerifyCode() and Userinfo() functions can cause session identity crossover, allowing one user to receive another user's session. This vulnerability has been addressed and fixed in version 5.0.5.
Potential Impact
Successful exploitation of this vulnerability can lead to a user receiving a session associated with another user's identity, resulting in high confidentiality and integrity impact. This could allow unauthorized access to another user's account or data. Availability is not affected. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade tinyauth to version 5.0.5 or later, where this race condition vulnerability has been patched. No other mitigation is required as the fix is available and official.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T18:05:11.832Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce866ce6bfc5ba1de33608
Added to database: 4/2/2026, 3:08:28 PM
Last enriched: 4/9/2026, 10:42:33 PM
Last updated: 5/20/2026, 8:49:53 PM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.