PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42560 Unknown Vendor CVE debrief

CVE-2026-42560 is a critical authentication flaw in go-pkgz/auth’s Patreon OAuth provider. Affected versions mapped every authenticated Patreon account to the same local user.ID, which can collapse distinct users into one application identity and create cross-account access and data leakage risk. The issue is fixed in versions 1.25.2 and 2.1.2.

Vendor
Unknown Vendor
Product
Unknown
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-09
Original CVE updated
2026-05-09
Advisory published
2026-05-09
Advisory updated
2026-05-09

Who should care

Teams using go-pkgz/auth with the Patreon OAuth provider, especially applications that treat token.User.ID as the stable local account key or use it to bind sessions, subscriptions, or permissions.

Technical summary

According to the advisory and NVD record, versions 1.18.0 through before 1.25.2 and 2.0.0 through before 2.1.2 did not derive a unique local identifier from the Patreon account returned by Patreon. Instead, all Patreon-authenticated users were mapped to the same local user.ID. That identity collision can cause unrelated accounts to be merged or confused at the application layer, with potential impacts to authorization, subscription state, and user data separation. The advisory assigns CWE-287 and a CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Defensive priority

Urgent. This is a critical authentication/identity-confusion issue with low attack complexity and no privileges required in the vulnerable component path. Prioritize patching and verification of account isolation controls.

Recommended defensive actions

  • Upgrade go-pkgz/auth to version 1.25.2 or later, or 2.1.2 or later, depending on your major version line.
  • Audit any code that uses token.User.ID as a unique or stable account identifier for Patreon logins.
  • Check for user-account merges, duplicated sessions, or subscription-state contamination among Patreon-authenticated users.
  • Review authorization decisions, billing links, and entitlement records that may have been created while the vulnerable versions were in use.
  • Invalidate or rebind affected sessions and review application logs for identity collisions after remediation.

Evidence notes

This debrief is based only on the supplied NVD record and the linked GitHub Security Advisory, commit, and release tags. The core facts used here are the affected version ranges, the Patreon OAuth identity-mapping flaw, the fix versions 1.25.2 and 2.1.2, and the CVSS/CWE data present in the source corpus. No exploit procedure or unsupported implementation details are included.

Official resources

The issue was disclosed through GitHub Security Advisory GHSA-f6qq-3m3h-4g42 and is reflected in the NVD record published on 2026-05-09.