{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-32246","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-03-11T14:47:05.685Z","datePublished":"2026-03-12T18:59:20.875Z","dateUpdated":"2026-03-12T20:46:24.238Z"},"containers":{"cna":{"title":"Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint","problemTypes":[{"descriptions":[{"cweId":"CWE-287","lang":"en","description":"CWE-287: Improper Authentication","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.5,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39","tags":["x_refsource_CONFIRM"],"url":"https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39"}],"affected":[{"vendor":"steveiliop56","product":"tinyauth","versions":[{"version":"< 5.0.3","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-03-12T18:59:20.875Z"},"descriptions":[{"lang":"en","value":"Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3."}],"source":{"advisory":"GHSA-3q28-qjrv-qr39","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-12T20:43:38.639462Z","id":"CVE-2026-32246","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-12T20:46:24.238Z"}}]}}