Tinyauth authentication server prior to version 5.0.5 contains a critical race condition vulnerability in OAuth service implementations. All three OAuth services (GenericOAuthService, GithubOAuthService, GoogleOAuthService) store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across concurrent requests. When two users simultaneously initiate OAuth login for the same provider, a race condition between VerifyCode() and Userinfo() functions causes identity confusion, where one user receives a session with another user's identity. This represents a severe authentication bypass vulnerability that could lead to unauthorized access and account takeover. The issue has been patched in version 5.0.5.