{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T08:34:24.396","vulnerabilities":[{"cve":{"id":"CVE-2026-32246","sourceIdentifier":"security-advisories@github.com","published":"2026-03-12T19:16:19.577","lastModified":"2026-03-19T20:35:26.040","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3."},{"lang":"es","value":"Tinyauth es un servidor de autenticación y autorización. Anteriormente a la 5.0.3, el endpoint de autorización OIDC permite a los usuarios con una sesión TOTP pendiente (contraseña verificada, TOTP aún no completado) obtener códigos de autorización. Un atacante que conoce la contraseña de un usuario pero no su secreto TOTP puede obtener tokens OIDC válidos, eludiendo completamente el segundo factor. Esta vulnerabilidad se ha corregido en la versión 5.0.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:tinyauth:tinyauth:*:*:*:*:*:*:*:*","versionEndIncluding":"5.0.2","matchCriteriaId":"937C7D56-16AC-4536-B16E-D9057C5971DE"}]}]}],"references":[{"url":"https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]}]}}]}