CVE-2026-33544 Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent...

Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Summary All three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider...

com.bertoncelj.wildflysingletonservice:wildfly-singleton-service (=1.0.1), com.puresoltechnologies.purifinity.server:systemmonitor.test (>=0.4.0 <=0.4.1) +165 more potentially affected by CVE-2025-23367 via org.wildfly.core:wildfly-server (>=1.0.0.Alpha16 <=27.0.0.Final)

org.wildfly.core:wildfly-server MAVEN version =1.0.0.Alpha16, =0.4.0, =0.4.0, =0.4.0, =1.2.0, =0.1.0, =0.1.0, =0.12.0.Final, =0.1.0, =1.0.0.Alpha7, =0.1.0, =1.0.0.Alpha7, =1.0.0.Alpha8 and more Source cves: CVE-2025-23367 Source advisory: OSV:GHSA-QR6X-62GQ-4CCP...

br.eti.clairton:ds-test (=0.4.0), com.bertoncelj.wildflysingletonservice:wildfly-singleton-service (>=1.1.0 <=1.2.1) +312 more potentially affected by CVE-2021-3642 via org.wildfly.security:wildfly-elytron (>=1.0.0.Alpha1 <=1.10.0.Final)

org.wildfly.security:wildfly-elytron MAVEN version =1.0.0.Alpha1, =1.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.6.0.Beta1, =1.0.0.Alpha4, =0.29.0.Final, =0.15.0.Final, =0.29.0.Final, =0.18.0.Final, =1.0.1.Final and more Source cves: CVE-2021-3642 Source advisory: OSV:GHSA-5499-QJVH-6...