CVE-2026-45690 Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication 2FA protections...

Two-Factor Authentication Bypass via Pending Session Token Replay

None...

CVE-2026-32246 Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain...

Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Summary The OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. Details...