CVE-2026-42560CRITICAL 9.1EPSS p33.2%

CVE-2026-42560CVE-2026-42560

Description

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.42% probability of exploitation · percentile 33.2% · 2026-06-19T12:03:05Z
Published2026-05-09
Last modified2026-05-13

Underlying weaknesses· 1

CWE-287

References

  1. https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698
  2. https://github.com/go-pkgz/auth/releases/tag/v1.25.2
  3. https://github.com/go-pkgz/auth/releases/tag/v2.1.2
  4. https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42
  5. https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-49443
CVE
CVE-2026-30967
CVE
CVE-2026-33265
CVE
CVE-2026-4525
CVE
CVE-2025-41258
CVE
CVE-2025-2594
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.