What is the CVSS score of CVE-2026-32246?

CVE-2026-32246 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Suse are affected by CVE-2026-32246?

A high-severity vulnerability (CVE-2026-32246) affecting TinyAuth has been publicly disclosed with working exploits available, creating immediate risk to any organization using this authentication…. A patch is available.

Is there a public PoC exploit available for CVE-2026-32246?

Yes, a public proof-of-concept exploit is available for CVE-2026-32246. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-32246?

Within 24 hours: Identify all systems and applications using TinyAuth, assess exposure scope, and activate incident response procedures. Within 7 days: Implement compensating controls (network segmentation, WAF rules, enhanced monitoring), document affected assets, and establish communication with vendors or support channels for patch timelines. Within 30 days: Deploy alternative authentication solutions where feasible, execute comprehensive security testing post-mitigation, and complete remediation or establish risk acceptance with business stakeholders.

Suse CVE-2026-32246

HIGH

Improper Authentication (CWE-287)

2026-03-12 security-advisories@github.com

GHSA-3q28-qjrv-qr39

Authentication Bypass Suse

8.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.5 HIGH

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

PoC Detected

Mar 12, 2026 - 21:07 vuln.today

Public exploit code

Analysis Generated

Mar 12, 2026 - 19:57 vuln.today

CVE Published

Mar 12, 2026 - 19:16 nvd

HIGH 8.5

DescriptionGitHub Advisory

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.

AnalysisAI

High severity vulnerability in TinyAuth. #

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain user password

Delivery

Authenticate to Tinyauth with password

Exploit

Submit authorization request with TOTP-pending session

Execution

Receive valid OIDC token

Impact

Access protected resources

Access

Obtain user password

Delivery

Authenticate to Tinyauth with password

Exploit

Submit authorization request with TOTP-pending session

Execution

Receive valid OIDC token

Impact

Access protected resources

Vulnerability AssessmentAI

Exploitation	Tinyauth versions prior to 5.0.3 with OIDC authorization endpoint enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Severity: High (8.5/10.0) No EPSS data available yet Remotely exploitable with low-privilege access — any authenticated user could exploit this Scope changed: exploitation can impact resources beyond the vulnerable component No patch confirmed yet — monitor vendor channels for updates and consider mitigations Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker with low-level access can exploit this vulnerability remotely to escalate privileges or access unauthorized resources.
Remediation	Security advisories: - https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-3q28-qjrv-qr39 Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications using TinyAuth, assess exposure scope, and activate incident response procedures. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

CVE-2026-32246 vulnerability details – vuln.today

Back

Suse CVE-2026-32246

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code