CVE-2026-33544
Race Condition in Tinyauth OAuth Causes User Identity Leakage
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tinyauth | tinyauth | to 5.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33544 is a high-severity race condition vulnerability in the Tinyauth OAuth service implementations prior to version 5.0.5. The issue arises because the OAuth services store mutable OAuth stateβspecifically PKCE verifiers and access tokensβas struct fields on singleton instances shared across all concurrent requests.
When two users concurrently initiate OAuth login with the same provider, a race condition occurs between the VerifyCode() and Userinfo() functions. This causes one user's session to be associated with the other user's identity, effectively allowing session hijacking.
The root cause is that the singleton pattern returns a single shared instance per OAuth provider, and mutable fields like tokens and verifiers are overwritten by concurrent requests. This leads to unauthorized access and denial-of-service due to verifier overwrites.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Tinyauth allows an attacker to hijack another user's session by exploiting a race condition in the OAuth login flow, resulting in unauthorized access to the victim's resources.
This unauthorized access compromises the confidentiality and integrity of user data, which are critical requirements under common standards and regulations such as GDPR and HIPAA.
Specifically, GDPR mandates strict protection of personal data and requires organizations to implement appropriate technical measures to prevent unauthorized access. Similarly, HIPAA requires safeguarding electronic protected health information (ePHI) against unauthorized use or disclosure.
Because this vulnerability can lead to unauthorized disclosure and modification of sensitive information, it poses a significant risk to compliance with these regulations.
The patch in version 5.0.5 addresses this issue by eliminating shared mutable state in OAuth service instances, thereby preventing race conditions and unauthorized session hijacking.
How can this vulnerability impact me? :
This vulnerability can severely impact the confidentiality and integrity of your authentication system. An attacker who times their OAuth callback to race with a victim's callback can hijack the victim's session and gain unauthorized access to all resources allowed by the victim's Tinyauth access control list.
The vulnerability does not affect availability except for denial-of-service caused by PKCE verifier overwrites, which cause OAuth providers to reject exchanges.
Overall, it can lead to unauthorized access to sensitive data and resources, compromising user identities and security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying race conditions in the OAuth service implementations of Tinyauth prior to version 5.0.5. Specifically, running Go's race detector on the Tinyauth codebase will reveal multiple data races on the token and PKCE verifier fields.
A suggested command to detect the race condition is to run the Go race detector during testing:
- go test -race
This command will help identify concurrent access issues in the OAuth service code, particularly on the mutable struct fields storing OAuth tokens and verifiers.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Tinyauth to version 5.0.5 or later, where this vulnerability has been patched.
The patch removes the shared mutable state by refactoring OAuth session management to use dedicated session cookies and avoids storing OAuth tokens and PKCE verifiers as mutable fields on singleton service instances.
Additional mitigation steps include:
- Avoid storing mutable OAuth state on singleton instances.
- Pass PKCE verifiers and access tokens explicitly as method parameters or return values instead of struct fields.
- Store PKCE verifiers in user sessions or cookies associated with the OAuth state parameter.
These changes eliminate shared mutable state and prevent race conditions that lead to session hijacking.