CVE-2026-33544 is a concurrency vulnerability classified under CWE-362 (Race Condition) affecting the tinyauth authentication and authorization server before version 5.0.5. Tinyauth implements OAuth services including GenericOAuthService, GithubOAuthService, and GoogleOAuthService. These services store PKCE verifiers and access tokens as mutable struct fields within singleton instances shared across all concurrent requests. Because these fields are mutable and shared, when two users simultaneously initiate OAuth login flows for the same provider, a race condition occurs between the VerifyCode() and Userinfo() functions. This race condition can cause one user to receive a session associated with the other user's identity, effectively allowing session swapping or hijacking. The vulnerability compromises confidentiality and integrity by exposing user sessions to unauthorized access. The flaw does not affect availability. Exploitation requires network access and user interaction (initiating OAuth login), but only low privileges are needed, and no authentication is required. The vulnerability has been assigned a CVSS 3.1 score of 7.7 (high severity), reflecting its significant impact and moderate exploitation complexity. The issue was publicly disclosed on April 2, 2026, and patched in tinyauth version 5.0.5. No known exploits in the wild have been reported to date. This vulnerability highlights the critical importance of proper synchronization and thread safety in shared mutable state within authentication services, especially those handling sensitive tokens and session data.

The primary impact of CVE-2026-33544 is the compromise of user session confidentiality and integrity. By exploiting the race condition, an attacker can cause a user to be authenticated as another user, potentially gaining unauthorized access to sensitive data and services. This can lead to data breaches, privilege escalation, and unauthorized actions performed under another user's identity. For organizations, this undermines trust in their authentication mechanisms and may result in compliance violations, reputational damage, and financial losses. Since the vulnerability affects OAuth implementations, which are widely used for federated identity and single sign-on, the scope of affected systems can be broad, especially in cloud services, SaaS platforms, and enterprise applications relying on tinyauth or similar OAuth servers. Although exploitation requires user interaction and low privileges, the impact on affected users is severe. The lack of availability impact means systems remain operational, but the security breach risk is significant. Organizations with concurrent OAuth login flows are particularly vulnerable, especially those with high user concurrency and multi-tenant environments.

The definitive mitigation is to upgrade tinyauth to version 5.0.5 or later, where the race condition has been properly fixed. Beyond upgrading, organizations should audit their OAuth service implementations to ensure that mutable state related to authentication tokens and verifiers is not stored in shared singleton instances without proper synchronization. Implement thread-safe handling of session data, using immutable data structures or request-scoped storage to avoid shared mutable state. Employ concurrency control mechanisms such as mutexes or atomic operations around critical sections handling tokens and session identifiers. Conduct thorough testing under concurrent load to detect race conditions. Additionally, implement monitoring and anomaly detection to identify suspicious session swaps or authentication anomalies. Educate developers on secure coding practices related to concurrency and OAuth flows. Finally, consider applying compensating controls such as multi-factor authentication to reduce the risk of session hijacking.