Nixpkgs security tracker

Untriaged

Permalink CVE-2026-32245

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 month ago

Tinyauth's OIDC authorization codes are not bound to client on token exchange

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never authorized their application. This violates RFC 6749 Section 4.1.3. This vulnerability is fixed in 5.0.3.

References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-xg2q-62g2-cvcm x_refsource_CONFIRM
https://github.com/steveiliop56/tinyauth/commit/b2a1bfb1f532e87f205fa3afa3fc9f148c53ab89 x_refsource_MISC
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.3 x_refsource_MISC

Affected products

tinyauth

==< 5.0.3

Matching in nixpkgs

pkgs.tinyauth

Simple authentication middleware for web apps

nixos-unstable 5.0.1
- nixpkgs-unstable 5.0.2
- nixos-unstable-small 5.0.2

Package maintainers

@shaunren Shaun Ren

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.tinyauth

Package maintainers