Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Description

Summary

All three OAuth service implementations (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider concurrently, a race condition between VerifyCode() and Userinfo() causes one user to receive a session with the other user's identity.

Details

The OAuthBrokerService.GetService() returns a single shared instance per provider for every request. The OAuth flow stores intermediate state as struct fields on this singleton:

Token storagegeneric_oauth_service.go line 96:

generic.token = token  // Shared mutable field on singleton

Verifier storagegeneric_oauth_service.go line 81:

generic.verifier = verifier  // Shared mutable field on singleton

In the callback handler oauth_controller.go lines 136–143, the code calls:

err = service.VerifyCode(code)                       // line 136 — stores token on singleton
// ... race window ...
user, err := controller.broker.GetUser(req.Provider)  // line 143 — reads token from singleton

Between these two calls, a concurrent request's VerifyCode() can overwrite the token field, causing GetUser()Userinfo() to fetch the wrong user's identity claims.

The same pattern exists in all three implementations:
- github_oauth_service.go lines 34–39, 77, 86–99
- google_oauth_service.go lines 22–27, 65, 73–87

PoC

Race scenario (two concurrent OAuth callbacks):

  1. User A and User B both click "Login with GitHub" on the same tinyauth instance
  2. Both are redirected to GitHub, authorize, and GitHub redirects both back with authorization codes
  3. Both callbacks arrive at tinyauth nearly simultaneously:
Timeline:
  t0: Request A → service.VerifyCode(codeA) → singleton.token = tokenA
  t1: Request B → service.VerifyCode(codeB) → singleton.token = tokenB  (overwrites tokenA)
  t2: Request A → broker.GetUser("github")  → Userinfo() reads singleton.token = tokenB
  t3: Request A receives User B's identity (email, name, groups)

User A now has a tinyauth session with User B's email, gaining access to all resources User B is authorized for via tinyauth's ACL.

PKCE verifier DoS variant: Even with PKCE, concurrent oauthURLHandler calls overwrite the verifier field, causing VerifyCode() to send the wrong verifier to the OAuth provider, which rejects the exchange.

Static verification: Run Go's race detector on a test that calls VerifyCode and Userinfo concurrently on the same service instance — the -race flag will flag data races on the token and verifier fields.

Go race detector confirmation: Running a concurrent test with go test -race on the singleton service detects 4 data races on the token and verifier fields. Without the race detector, measured token overwrite rate is 99.9% (9,985/10,000 iterations).

Test environment: tinyauth v5.0.4, commit 592b7ded, Go race detector + source code analysis

Impact

An attacker who times their OAuth callback to race with a victim's callback can obtain a tinyauth session with the victim's identity. This grants unauthorized access to all resources the victim is permitted to access through tinyauth's ACL system. The probability of collision increases with concurrent OAuth traffic.

The PKCE verifier overwrite additionally causes a denial-of-service: concurrent OAuth logins for the same provider reliably fail.

Suggested Fix

Pass verifier and token through method parameters or return values instead of storing them on the singleton:

func (generic *GenericOAuthService) VerifyCode(code string, verifier string) (*oauth2.Token, error) {
    return generic.config.Exchange(generic.context, code, oauth2.VerifierOption(verifier))
}

func (generic *GenericOAuthService) Userinfo(token *oauth2.Token) (config.Claims, error) {
    client := generic.config.Client(generic.context, token)
    // ...
}

Store the PKCE verifier in the session/cookie associated with the OAuth state parameter, not on the service struct.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-01 19:52:04 UTC
Updated
2026-04-06 17:18:25 UTC
GitHub reviewed
2026-04-01 19:52:04 UTC
NVD published
2026-04-02

EPSS Score

Score Percentile
0.05% 14.37%

CVSS Scores

Base score Version Severity Vector
7.7 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Credits

  • kq5y (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/steveiliop56/tinyauth < 1.0.1-0.20260401140714-fc1d4f2082a5 1.0.1-0.20260401140714-fc1d4f2082a5

References

cvelogic Threat Intelligence