Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33544

7.7 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.

References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92 x_refsource_CONFIRM
https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803 x_refsource_MISC
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5 x_refsource_MISC

Affected products

tinyauth

==< 5.0.5

Matching in nixpkgs

pkgs.tinyauth

Simple authentication middleware for web apps

nixos-unstable 5.0.4
- nixpkgs-unstable 5.0.4
- nixos-unstable-small 5.0.4

Package maintainers

@shaunren Shaun Ren

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.tinyauth

Package maintainers