Summary
The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon.
In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage.
Details
The bug is in the Patreon provider's user-mapping logic.
Both the root module and the v2 module create a fresh empty token.User{} and then derive the Patreon ID from userInfo.ID before that field has been populated:
mapUser: func(data UserData, bdata []byte) token.User {
userInfo := token.User{}
uinfoJSON := uinfo{}
if err := json.Unmarshal(bdata, &uinfoJSON); err == nil {
userInfo.ID = "patreon_" + token.HashID(sha1.New(), userInfo.ID)
userInfo.Name = uinfoJSON.Data.Attributes.FullName
userInfo.Picture = uinfoJSON.Data.Attributes.ImageURL
...
}
return userInfo
}
Affected locations:
provider/providers.go:257v2/provider/providers.go:257
At that point, userInfo.ID is still the empty string, so the effective result is always:
patreon_ + sha1("")
which is:
patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709
for every Patreon user.
The code appears to have intended to hash the Patreon user ID returned by Patreon, i.e. uinfoJSON.Data.ID, but instead hashes the uninitialized destination field.
Why this matters:
- Patreon is a documented, supported provider.
- The library documents
token.User.IDas the hashed user ID exposed to consumers. - The OAuth flow stores the mapped user object in JWT claims, and middleware later injects that object into the request context verbatim, consuming handlers receive the provider's wrong user.ID as authoritative identity.
Relevant flow in v2:
v2/provider/oauth2.go:207callsu := p.mapUser(...)v2/provider/oauth2.go:223storesuin token claimsv2/middleware/auth.go:154copies*claims.Userinto request context
The existing tests already encode the broken behavior:
provider/providers_test.go:179provider/providers_test.go:204v2/provider/providers_test.go:179v2/provider/providers_test.go:204
Those tests assert the constant empty-string hash value for Patreon users.
PoC
This can be reproduced locally without contacting Patreon by exercising the provider's mapUser logic with two different Patreon payloads.
From the repository root, create a temporary test file:
v2/provider/patreon_repro_test.go
package provider
import "testing"
func TestPatreonSharedIdentity(t *testing.T) {
r := NewPatreon(Params{
URL: "http://example.com",
Cid: "cid",
Csecret: "secret",
})
a := r.mapUser(UserData{}, []byte(`{
"data": {
"attributes": {
"full_name": "Alice",
"image_url": "https://example.com/alice.png"
},
"id": "1111111"
}
}`))
b := r.mapUser(UserData{}, []byte(`{
"data": {
"attributes": {
"full_name": "Bob",
"image_url": "https://example.com/bob.png"
},
"id": "9999999"
}
}`))
if a.ID != b.ID {
t.Fatalf("expected IDs to collide, got %q and %q", a.ID, b.ID)
}
t.Logf("Alice -> %s", a.ID)
t.Logf("Bob -> %s", b.ID)
}
Then run:
cd v2
go test ./provider -run TestPatreonSharedIdentity -v
Expected result:
Alice -> patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709
Bob -> patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709
I also confirmed this locally with three distinct Patreon data.id values; all of them produced the same patreon_da39... identity.
You can also see the same issue reflected in the existing built-in tests, which already assert this constant Patreon ID.
Impact
This is an authentication/identity-collision vulnerability in the Patreon provider.
Impacted users:
- applications using
github.com/go-pkgz/auth/provider.NewPatreon - applications using
github.com/go-pkgz/auth/v2/provider.NewPatreon - applications that rely on
token.User.IDas the stable local account identifier, or use it to key roles, profiles, entitlements, subscription state, or other authorization-relevant records
Practical impact:
- all Patreon-authenticated users in the same application can collapse into the same local account
- data associated with one Patreon user may be exposed to or overwritten by another Patreon user
- Patreon-specific attributes such as
is_paid_subcan leak across unrelated users - if a target application grants any elevated privileges to the local account keyed by this shared Patreon ID, those privileges can effectively apply to every Patreon login
The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.
CVE-2026-42560 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.25.2, 2.1.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The Patreon provider should derive the user ID from the Patreon account ID returned by Patreon, not from the uninitialized destination struct.
In both of these files:
provider/providers.gov2/provider/providers.go
change:
userInfo.ID = "patreon_" + token.HashID(sha1.New(), userInfo.ID)
to:
userInfo.ID = "patreon_" + token.HashID(sha1.New(), uinfoJSON.Data.ID)
I would also recommend adding a regression test with at least two different Patreon data.id values and asserting that they produce different local IDs.
Because the current bug causes all Patreon users to share a single local ID, maintainers may also want to consider migration guidance for consumers who already have Patreon-linked local accounts created under the broken identifier.
Frequently Asked Questions
- What is CVE-2026-42560? CVE-2026-42560 is a critical-severity improper authentication vulnerability in github.com/go-pkgz/auth (go), affecting versions >= 1.18.0, <= 1.25.1. It is fixed in 1.25.2, 2.1.2. The application does not adequately verify the identity of a user, device, or process before granting access.
- How severe is CVE-2026-42560? CVE-2026-42560 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2026-42560?
github.com/go-pkgz/auth(go) (versions >= 1.18.0, <= 1.25.1)github.com/go-pkgz/auth/v2(go) (versions >= 2.0.0, <= 2.1.1)
- Is there a fix for CVE-2026-42560? Yes. CVE-2026-42560 is fixed in 1.25.2, 2.1.2. Upgrade to this version or later.
- Is CVE-2026-42560 exploitable, and should I be worried? Whether CVE-2026-42560 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-42560 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-42560?
- Upgrade
github.com/go-pkgz/authto 1.25.2 or later - Upgrade
github.com/go-pkgz/auth/v2to 2.1.2 or later
- Upgrade