CVE-2026-42560: CWE-287: Improper Authentication in go-pkgz auth
auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2.
AI Analysis
Technical Summary
The go-pkgz auth library provides OAuth2-based authentication including Patreon as a provider. In affected versions, the Patreon OAuth integration fails to derive a unique local user ID from the authenticated Patreon account, instead assigning the same local user ID to all Patreon-authenticated users. Applications relying on token.User.ID as a stable account key may inadvertently merge distinct Patreon users into one local identity. This improper authentication (CWE-287) vulnerability can cause cross-account access and privilege confusion. The vulnerability is tracked as CVE-2026-42560 with a CVSS 3.1 score of 9.1 (critical). It has been patched in go-pkgz auth versions 1.25.2 and 2.1.2.
Potential Impact
This vulnerability allows unrelated Patreon-authenticated users to be treated as the same local user within applications using the affected go-pkgz auth versions. This can result in unauthorized access to other users' accounts, mixing of privileges, and leakage of subscription-related information. The impact is high confidentiality and integrity loss but does not affect availability.
Mitigation Recommendations
Upgrade go-pkgz auth to version 1.25.2 or later, or 2.1.2 or later, where the Patreon OAuth provider correctly derives unique user IDs. No other mitigation is indicated. Patch status is confirmed by the vendor advisory stating these versions fix the issue.
CVE-2026-42560: CWE-287: Improper Authentication in go-pkgz auth
Description
auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2.
CVSS v3.1
Score 9.1critical
Affected software
pkg:golang/github.com/go-pkgz/authRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The go-pkgz auth library provides OAuth2-based authentication including Patreon as a provider. In affected versions, the Patreon OAuth integration fails to derive a unique local user ID from the authenticated Patreon account, instead assigning the same local user ID to all Patreon-authenticated users. Applications relying on token.User.ID as a stable account key may inadvertently merge distinct Patreon users into one local identity. This improper authentication (CWE-287) vulnerability can cause cross-account access and privilege confusion. The vulnerability is tracked as CVE-2026-42560 with a CVSS 3.1 score of 9.1 (critical). It has been patched in go-pkgz auth versions 1.25.2 and 2.1.2.
Potential Impact
This vulnerability allows unrelated Patreon-authenticated users to be treated as the same local user within applications using the affected go-pkgz auth versions. This can result in unauthorized access to other users' accounts, mixing of privileges, and leakage of subscription-related information. The impact is high confidentiality and integrity loss but does not affect availability.
Mitigation Recommendations
Upgrade go-pkgz auth to version 1.25.2 or later, or 2.1.2 or later, where the Patreon OAuth provider correctly derives unique user IDs. No other mitigation is indicated. Patch status is confirmed by the vendor advisory stating these versions fix the issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-28T16:56:50.192Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fec4aacbff5d8610c5050c
Added to database: 05/09/2026, 05:22:50 UTC
Last enriched: 05/16/2026, 10:52:05 UTC
Last updated: 06/24/2026, 19:01:40 UTC
Views: 120
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.