Your OAuth2 endpoint is not at all following best practices. When the authorization_code is generated it is stored without a timeout. Now according to https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 10 minutes is recommended. As the goal is that is gets used almost directly or not at all.
Now there is a debate maybe to have on the 10 minutes. But there is kind of a big difference between 10 minutes and no timeout at all.
An attacker that obtains this code could possibly easily redeem it in the future.
Or an attacker could just keep trying codes.