Platform
go
Component
github.com/steveiliop56/tinyauth
Fixed in
5.0.6
1.0.1-0.20260401140714-fc1d4f2082a5
CVE-2026-33544 is a critical OAuth identity confusion vulnerability affecting the tinyauth Go library. This flaw arises from a race condition in how OAuth verifiers and access tokens are handled, potentially allowing an attacker to impersonate another user. The vulnerability impacts versions before 1.0.1-0.20260401140714-fc1d4f2082a5, and a fix has been released.
The core of the vulnerability lies in the shared, mutable state of the OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService). When two users concurrently initiate OAuth login for the same provider, a race condition occurs between the VerifyCode() and Userinfo() functions. This allows one user's session to be hijacked by another, effectively granting the attacker access to the victim's account and associated data. The impact is significant, as an attacker can gain full control over the victim's account without needing their credentials. This could lead to data breaches, unauthorized actions, and further compromise of the system.
As of this writing, there is no public proof-of-concept (POC) available for CVE-2026-33544. The vulnerability was disclosed on 2026-04-01. The EPSS score is currently unavailable, but the HIGH CVSS score and the potential for session hijacking suggest a medium probability of exploitation. It is recommended to prioritize patching this vulnerability.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade to version 1.0.1-0.20260401140714-fc1d4f2082a5 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by ensuring that OAuth login requests are serialized to prevent concurrent processing. This can be achieved through rate limiting or queuing mechanisms. Monitor application logs for unusual login activity or session behavior. After upgrading, confirm the fix by performing concurrent OAuth login tests with different user accounts to verify that session isolation is maintained.
Update Tinyauth to version 5.0.5 or higher. This version fixes a race condition that could allow a user to receive a session with another user's identity during OAuth login.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33544 is a HIGH severity vulnerability in tinyauth's OAuth service implementations. A race condition allows attackers to hijack user sessions, potentially granting them unauthorized access to user accounts.
You are affected if your application uses tinyauth for OAuth authentication and is running a version prior to 1.0.1-0.20260401140714-fc1d4f2082a5. Assess your dependencies and upgrade immediately.
Upgrade to version 1.0.1-0.20260401140714-fc1d4f2082a5 or later. If immediate upgrade is not possible, implement temporary serialization of OAuth login requests.
As of now, there are no confirmed reports of active exploitation. However, the HIGH CVSS score and potential for session hijacking warrant immediate attention and patching.
Refer to the project's GitHub repository for updates and advisories: https://github.com/steveiliop56/tinyauth
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.