CVE-2026-33544: Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

April 1, 2026

All three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user’s identity.

References

github.com/advisories/GHSA-9q5m-jfc4-wc92
github.com/steveiliop56/tinyauth
github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92
nvd.nist.gov/vuln/detail/CVE-2026-33544

Code Behaviors & Features

Detect and mitigate CVE-2026-33544 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →