Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33544

7.7 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.

References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92 x_refsource_CONFIRM
https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803 x_refsource_MISC
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5 x_refsource_MISC

Affected products

tinyauth

==< 5.0.5

Matching in nixpkgs

pkgs.tinyauth

Simple authentication middleware for web apps

nixos-unstable 5.0.4
- nixpkgs-unstable 5.0.4
- nixos-unstable-small 5.0.4

Package maintainers

@shaunren Shaun Ren

Published

Permalink CVE-2026-32245

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 2 months, 1 week ago by @LeSuisse Activity log

Created suggestion 2 months, 1 week ago
@LeSuisse accepted 2 months, 1 week ago
@LeSuisse published on GitHub 2 months, 1 week ago

Tinyauth's OIDC authorization codes are not bound to client on token exchange

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never authorized their application. This violates RFC 6749 Section 4.1.3. This vulnerability is fixed in 5.0.3.

References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-xg2q-62g2-cvcm x_refsource_CONFIRM
https://github.com/steveiliop56/tinyauth/commit/b2a1bfb1f532e87f205fa3afa3fc9f148c53ab89 x_refsource_MISC
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.3 x_refsource_MISC

Affected products

tinyauth

==< 5.0.3

Matching in nixpkgs

pkgs.tinyauth

Simple authentication middleware for web apps

nixos-unstable 5.0.1
- nixpkgs-unstable 5.0.2
- nixos-unstable-small 5.0.2

Package maintainers

@shaunren Shaun Ren

Upstream advisory: https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-xg2q-62g2-cvcm
Upstream patch: https://github.com/steveiliop56/tinyauth/commit/b2a1bfb1f532e87f205fa3afa3fc9f148c53ab89

Untriaged

Permalink CVE-2026-32246

8.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.

References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39 x_refsource_CONFIRM

Affected products

tinyauth

==< 5.0.3

Matching in nixpkgs

pkgs.tinyauth

Simple authentication middleware for web apps

nixos-unstable 5.0.1
- nixpkgs-unstable 5.0.2
- nixos-unstable-small 5.0.2

Package maintainers

@shaunren Shaun Ren

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.tinyauth

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.tinyauth

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.tinyauth

Package maintainers