PatchSiren

go-pkgz CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL go-pkgz CVE published 2026-05-09

CVE-2026-42560

CVE-2026-42560 is a critical authentication flaw in go-pkgz/auth’s Patreon OAuth provider. Affected versions mapped every authenticated Patreon account to the same local user.ID, which can collapse distinct users into one application identity and create cross-account access and data leakage risk. The issue is fixed in versions 1.25.2 and 2.1.2.