CVE-2026-32246 Overview
CVE-2026-32246 is an authentication bypass vulnerability in Tinyauth, an authentication and authorization server. Prior to version 5.0.3, the OIDC authorization endpoint improperly allows users with a TOTP-pending session (where the password has been verified but TOTP verification has not yet been completed) to obtain authorization codes. This flaw enables an attacker who knows a user's password but not their TOTP secret to obtain valid OIDC tokens, completely bypassing multi-factor authentication protection.
Critical Impact
This vulnerability allows complete bypass of TOTP-based multi-factor authentication, enabling attackers with stolen credentials to gain unauthorized access to protected resources without completing the second authentication factor.
Affected Products
- Tinyauth versions prior to 5.0.3
Discovery Timeline
- 2026-03-12 - CVE CVE-2026-32246 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32246
Vulnerability Analysis
This vulnerability (CWE-287: Improper Authentication) exists in the OIDC authorization flow of Tinyauth. The core issue lies in the authentication state machine, which fails to properly validate that all required authentication factors have been completed before issuing authorization codes.
When a user with TOTP-based MFA enabled initiates authentication, the system creates a session after successful password verification but before TOTP validation. The OIDC authorization endpoint incorrectly treats this intermediate "TOTP-pending" session state as fully authenticated, allowing the issuance of authorization codes that can be exchanged for valid access and ID tokens.
This represents a critical failure in the enforcement of multi-factor authentication, as the vulnerability reduces MFA-protected accounts to single-factor (password-only) security for OIDC-based authentication flows.
Root Cause
The root cause stems from insufficient session state validation in the OIDC authorization endpoint. The endpoint checks for the presence of an authenticated session but does not verify that all configured authentication factors have been successfully completed. The session management logic treats password-verified sessions as valid for authorization code generation, even when TOTP verification remains pending.
Attack Vector
The attack exploits the network-accessible OIDC authorization endpoint and requires the attacker to have knowledge of a target user's password. The attack flow proceeds as follows:
- The attacker initiates an authentication request using the victim's username and password
- Tinyauth validates the password and creates a TOTP-pending session
- Instead of completing TOTP verification, the attacker directly accesses the OIDC authorization endpoint with the pending session
- The authorization endpoint incorrectly issues an authorization code
- The attacker exchanges the authorization code for valid OIDC tokens, bypassing TOTP verification entirely
This vulnerability is particularly dangerous in scenarios where passwords have been compromised through phishing, credential stuffing, or data breaches, as MFA is specifically designed to protect against such credential theft.
Detection Methods for CVE-2026-32246
Indicators of Compromise
- OIDC authorization code requests from sessions where TOTP verification was never completed
- Successful token issuance events that lack corresponding TOTP verification success logs
- Authentication logs showing password verification followed by immediate OIDC authorization without TOTP completion
- Anomalous login patterns where users authenticate via OIDC without MFA challenges
Detection Strategies
- Implement correlation rules to detect OIDC authorization events that occur without corresponding TOTP verification events in the same session
- Monitor for authorization code generation from sessions in TOTP-pending state
- Alert on authentication sequences that skip MFA verification steps but proceed to token issuance
- Audit OIDC token grants and correlate with complete authentication event chains
Monitoring Recommendations
- Enable detailed authentication logging including session state transitions
- Implement real-time alerting for MFA bypass patterns in authentication flows
- Review OIDC authorization logs for sessions that never completed full authentication
- Monitor for credential stuffing attempts that may be targeting this vulnerability
How to Mitigate CVE-2026-32246
Immediate Actions Required
- Upgrade Tinyauth to version 5.0.3 or later immediately
- Review OIDC authorization logs for potential exploitation attempts
- Force re-authentication for all active sessions to ensure proper MFA enforcement
- Audit any accounts that may have been accessed via OIDC during the vulnerable period
Patch Information
The vulnerability is fixed in Tinyauth version 5.0.3. Organizations should update to this version or later to remediate the vulnerability. For more information, refer to the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, consider temporarily disabling OIDC functionality until the upgrade can be performed
- Implement network-level restrictions to limit access to the OIDC authorization endpoint
- Deploy additional monitoring to detect exploitation attempts
- Consider requiring additional authentication factors or session validation at the application layer for critical resources
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
