Nixpkgs security tracker

Permalink CVE-2026-33544

7.7 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity. This issue has been patched in version 5.0.5.

References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92 x_refsource_CONFIRM
https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803 x_refsource_MISC
https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5 x_refsource_MISC

Affected products

tinyauth

==< 5.0.5

Matching in nixpkgs

pkgs.tinyauth

Simple authentication middleware for web apps

nixos-unstable 5.0.4
- nixpkgs-unstable 5.0.4
- nixos-unstable-small 5.0.4

Package maintainers

@shaunren Shaun Ren

Permalink CVE-2026-32246

8.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.

References

https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39 x_refsource_CONFIRM

Affected products

tinyauth

==< 5.0.3

Matching in nixpkgs

pkgs.tinyauth

Simple authentication middleware for web apps

nixos-unstable 5.0.1
- nixpkgs-unstable 5.0.2
- nixos-unstable-small 5.0.2

Package maintainers

@shaunren Shaun Ren

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.tinyauth

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.tinyauth

Package maintainers