Vulnerability Details CVE-2026-32246
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 15.1%
CVSS Severity
CVSS v3 Score 8.5