Executive Summary

CVE-2026-33544 is a high-severity race condition vulnerability in the Tinyauth OAuth service implementations prior to version 5.0.5. The issue arises because the OAuth services store mutable OAuth state—specifically PKCE verifiers and access tokens—as struct fields on singleton instances shared across all concurrent requests.

When two users concurrently initiate OAuth login with the same provider, a race condition occurs between the VerifyCode() and Userinfo() functions. This causes one user's session to be associated with the other user's identity, effectively allowing session hijacking.

The root cause is that the singleton pattern returns a single shared instance per OAuth provider, and mutable fields like tokens and verifiers are overwritten by concurrent requests. This leads to unauthorized access and denial-of-service due to verifier overwrites.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Tinyauth allows an attacker to hijack another user's session by exploiting a race condition in the OAuth login flow, resulting in unauthorized access to the victim's resources.

This unauthorized access compromises the confidentiality and integrity of user data, which are critical requirements under common standards and regulations such as GDPR and HIPAA.

Specifically, GDPR mandates strict protection of personal data and requires organizations to implement appropriate technical measures to prevent unauthorized access. Similarly, HIPAA requires safeguarding electronic protected health information (ePHI) against unauthorized use or disclosure.

Because this vulnerability can lead to unauthorized disclosure and modification of sensitive information, it poses a significant risk to compliance with these regulations.

The patch in version 5.0.5 addresses this issue by eliminating shared mutable state in OAuth service instances, thereby preventing race conditions and unauthorized session hijacking.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can severely impact the confidentiality and integrity of your authentication system. An attacker who times their OAuth callback to race with a victim's callback can hijack the victim's session and gain unauthorized access to all resources allowed by the victim's Tinyauth access control list.

The vulnerability does not affect availability except for denial-of-service caused by PKCE verifier overwrites, which cause OAuth providers to reject exchanges.

Overall, it can lead to unauthorized access to sensitive data and resources, compromising user identities and security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying race conditions in the OAuth service implementations of Tinyauth prior to version 5.0.5. Specifically, running Go's race detector on the Tinyauth codebase will reveal multiple data races on the token and PKCE verifier fields.

A suggested command to detect the race condition is to run the Go race detector during testing:

• go test -race

This command will help identify concurrent access issues in the OAuth service code, particularly on the mutable struct fields storing OAuth tokens and verifiers.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Tinyauth to version 5.0.5 or later, where this vulnerability has been patched.

The patch removes the shared mutable state by refactoring OAuth session management to use dedicated session cookies and avoids storing OAuth tokens and PKCE verifiers as mutable fields on singleton service instances.

Additional mitigation steps include:

• Avoid storing mutable OAuth state on singleton instances.
• Pass PKCE verifiers and access tokens explicitly as method parameters or return values instead of struct fields.
• Store PKCE verifiers in user sessions or cookies associated with the OAuth state parameter.

These changes eliminate shared mutable state and prevent race conditions that lead to session hijacking.

Useful 0 Not Useful 0