{"id":"GO-2026-4689","summary":"Tinyauth's OIDC authorization codes are not bound to client on token exchange in github.com/steveiliop56/tinyauth","details":"Tinyauth's OIDC authorization codes are not bound to client on token exchange in github.com/steveiliop56/tinyauth.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/steveiliop56/tinyauth before v1.0.1-20260311144920-9eb2d33064b7.","aliases":["CVE-2026-32245","GHSA-xg2q-62g2-cvcm"],"modified":"2026-03-23T04:52:55.595862Z","published":"2026-03-12T20:57:42Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4689","review_status":"UNREVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-xg2q-62g2-cvcm"},{"type":"FIX","url":"https://github.com/steveiliop56/tinyauth/commit/b2a1bfb1f532e87f205fa3afa3fc9f148c53ab89"},{"type":"WEB","url":"https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.3"}],"affected":[{"package":{"name":"github.com/steveiliop56/tinyauth","ecosystem":"Go","purl":"pkg:golang/github.com/steveiliop56/tinyauth"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{"custom_ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.1-20260311144920-9eb2d33064b7"}]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4689.json"}}],"schema_version":"1.7.5"}