CVE-2026-42560 Overview
CVE-2026-42560 is an authentication flaw in the go-pkgz/auth library, a Go package that provides authentication via OAuth2, direct, and email flows. The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID instead of deriving a unique identifier from the Patreon account returned by the provider. All Patreon-authenticated users of an application using the library collapse into a single local identity. Applications that trust token.User.ID as the stable account key can mix or fully merge unrelated Patreon users. The defect affects versions 1.18.0 through 1.25.1 and 2.0.0 through 2.1.1. Fixes ship in versions 1.25.2 and 2.1.2.
Critical Impact
Cross-account access, privilege confusion, and subscription-state leakage between unrelated Patreon-authenticated users.
Affected Products
- go-pkgz/auth versions 1.18.0 through 1.25.1
- go-pkgz/auth versions 2.0.0 through 2.1.1
- Applications using the Patreon OAuth provider from go-pkgz/auth
Discovery Timeline
- 2026-05-09 - CVE-2026-42560 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42560
Vulnerability Analysis
The vulnerability is an authentication weakness classified under [CWE-287] Improper Authentication. The Patreon OAuth provider in go-pkgz/auth constructs the local user record without incorporating the Patreon-supplied account identifier. Every successful Patreon authentication produces an identical user.ID value in the issued token.
Downstream code that uses token.User.ID as a primary key collapses distinct Patreon accounts into one logical user. Session state, entitlements, and subscription data tied to that key become shared across all Patreon-authenticated users of the application. An attacker who authenticates with any Patreon account inherits the session context of every other Patreon user on the same host application.
Root Cause
The Patreon provider implementation omits a per-account identifier when populating the local user object. Unlike the library's other OAuth providers, it does not derive user.ID from the unique Patreon account identifier returned by the Patreon API. The provider returns a constant or otherwise non-unique value, breaking the contract that token.User.ID is stable and unique per authenticated principal.
Attack Vector
The attack requires only that the target application exposes the Patreon OAuth login flow. An attacker authenticates normally through Patreon. The resulting session shares the same local identity as any other Patreon-authenticated user. The attacker reads or modifies data belonging to those users, including subscription tiers, account settings, and any resources keyed on user.ID. No privileges or user interaction beyond standard OAuth login are required.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-f6qq-3m3h-4g42 for the maintainer's technical write-up and the patch commit for the corrected identifier derivation.
Detection Methods for CVE-2026-42560
Indicators of Compromise
- Multiple distinct Patreon accounts resolving to the same internal user.ID in application logs.
- Authentication audit records showing identical local user identifiers for different Patreon email addresses or display names.
- Subscription or entitlement records updated by users who do not own the underlying Patreon account.
Detection Strategies
- Audit dependency manifests (go.mod, go.sum) for github.com/go-pkgz/auth versions in the vulnerable ranges 1.18.0–1.25.1 and 2.0.0–2.1.1.
- Query authentication logs for duplicate user.ID values associated with the Patreon provider across distinct Patreon profile identifiers or email addresses.
- Review application data stores for orphaned or merged Patreon-linked records that share a single primary key.
Monitoring Recommendations
- Alert on session creation events where the Patreon provider issues a user.ID that already maps to a different external account identifier.
- Track changes to subscription state and privileged settings performed by Patreon-authenticated sessions for anomalous reassignment.
- Capture and retain OAuth callback payloads to support forensic correlation between Patreon account IDs and local user IDs.
How to Mitigate CVE-2026-42560
Immediate Actions Required
- Upgrade go-pkgz/auth to version 1.25.2 (for the 1.x line) or 2.1.2 (for the 2.x line).
- Invalidate all existing sessions issued through the Patreon provider before re-enabling Patreon login.
- Reconcile application user records to detach merged Patreon identities and restore correct ownership of subscription state.
Patch Information
The maintainer released fixes in v1.25.2 and v2.1.2. The corrective change is in commit c0b15ee, which derives user.ID from the unique Patreon account identifier returned by the Patreon API. Update Go module dependencies with go get github.com/go-pkgz/auth@v1.25.2 or go get github.com/go-pkgz/auth/v2@v2.1.2 and rebuild affected services.
Workarounds
- Disable the Patreon OAuth provider in the application configuration until the dependency is upgraded.
- Override the Patreon provider's user mapping in calling code to populate user.ID from the unique Patreon account identifier returned by the provider.
- Restrict access to functionality keyed on token.User.ID for Patreon-authenticated sessions until the patched version is deployed.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
