CVE-2026-32245

CVE-2026-32245 concerns Tinyauth, an authentication/authorization server. The issue, present before 5.0.3, is that the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client to which the code was issued. A malicious OIDC client operator can exchang...

CVE-2026-32245 Tinyauth's OIDC authorization codes are not bound to client on token exchange

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their...

CVE-2026-32235

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents a...

GHSA-3Q28-QJRV-QR39 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Summary The OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. Details...

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Summary The OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. Details...

GHSA-XG2Q-62G2-CVCM Tinyauth's OIDC authorization codes are not bound to client on token exchange

Summary The OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never...

GHSA-WQVH-63MV-9W92 @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass

Impact The experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafte...

PT-2026-25055

Name of the Vulnerable Software and Affected Versions Tinyauth versions prior to 5.0.3 Description Tinyauth is an authentication and authorization server. The OIDC token endpoint does not verify that the client exchanging an authorization code is the same client to which the code was originally...

GO-2026-4656 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange in github.com/pocket-id/pocket-id/backend

Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange in github.com/pocket-id/pocket-id/backend...

CVE-2026-28512

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...

CVE-2026-28512

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...

CVE-2026-28513

Pocket ID is an OIDC provider. Before version 2.4.0, the token endpoint could accept an authorization code that is expired when the client ID is correct, enabling cross-client code reuse and expired-code reuse. The issue is fixed in 2.4.0. No exploitation path details are provided beyond that, an...

CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

EUVD-2026-10409

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...

EUVD-2026-10407

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...

CVE-2026-28512

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...

CVE-2026-28512 Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a...

Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Summary The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. Details backend/internal/service/oidcservice.go:407 go if authorizationCodeMetaData.ClientID != input.ClientI...

GHSA-QH6Q-598W-W6M2 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Summary The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. Details backend/internal/service/oidcservice.go:407 go if authorizationCodeMetaData.ClientID != input.ClientI...