External risk intelligence

Patreon login errors could let attackers access customer accounts.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-42560

The `auth` library has a critical flaw where all Patreon users are mapped to the same account, enabling attackers to access or merge unrelated user data and subscriptions. This is accessible over the internet and demands immediate attention.

5Halo Surface Signal

Authentication Bypass

External exposure likelihood

Halo Surface Signal score for CVE-2026-42560

This library provides authentication for web applications. Authentication endpoints and OAuth login flows are public-facing by design, as they are intended to be accessed by external users over the internet to authenticate with the host application. Therefore, the vulnerable component is part of the application's external-facing identity and login surface.

PCI scan relevance

PCI Relevance for CVE-2026-42560

CVE-2026-42560 — Halo PCI Relevance: No. Under typical PCI ASV criteria, this issue is not expected to affect external scan prioritization.

This vulnerability in the Patreon OAuth provider could lead to cross-account access and privilege confusion, but it does not meet the criteria for PCI scan relevance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This issue in the `auth` library can allow unrelated users to access each other's accounts. When using the Patreon authentication provider, all users authenticate to the same local identity, potentially merging accounts and leaking sensitive information. This could lead to unauthorized access and confusion regarding subscription status.

Mixes unrelated user accounts.
Can leak subscription data.
Accessible from the internet.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by logging in through the Patreon OAuth provider. All users who authenticate via Patreon would be mapped to the same local user ID, allowing any Patreon-authenticated user to access or modify the data of any other Patreon-authenticated user.

Exploitable via Patreon OAuth.
Requires user to authenticate.
Can lead to cross-account access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows attackers to impersonate other users or gain unauthorized access to sensitive information by exploiting a flaw in how Patreon OAuth accounts are mapped. The potential for cross-account access and subscription leakage makes this a compelling target.

Exploitation is possible remotely.
No public exploits are available.
The patch is recent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching the `go-pkgz/auth` library to versions 1.25.2 or 2.1.2 immediately. This critical vulnerability allows all Patreon users to be mapped to a single local user ID, leading to cross-account access and privilege confusion. If patching is delayed, implement strict access controls and monitor for unusual account activity.

Patch to 1.25.2 or 2.1.2.
Monitor for account access anomalies.
Isolate or restrict Patreon OAuth.

Frequently asked questions

What is the go-pkgz/auth library and what is it used for?

The go-pkgz/auth library is a software component that provides authentication capabilities for applications. It supports various authentication methods, including OAuth2, direct login, and email-based authentication, allowing users to access and use applications securely.

What is the security weakness in CVE-2026-42560?

CVE-2026-42560 is a CWE-287 Improper Authentication vulnerability. The Patreon OAuth provider incorrectly maps all authenticated Patreon accounts to the same local user ID, effectively merging unrelated users into a single identity within the application.

How can an attacker trigger the vulnerability in CVE-2026-42560?

An attacker can trigger this vulnerability by logging in through the Patreon OAuth provider. The issue occurs because the library fails to generate unique local IDs for each Patreon account, leading to account confusion. The vulnerability is not triggered if users authenticate through methods other than Patreon OAuth.

Who should be concerned about CVE-2026-42560 based on Halo Surface Signal?

Organizations should be concerned if their applications use the go-pkgz/auth library with Patreon authentication, especially if these applications have internet-facing authentication endpoints. The vulnerability is classified as external, meaning it's accessible over the network by external users.

What is the first step to respond to this CVE threat advisory?

The immediate first step is to update the go-pkgz/auth library to version 1.25.2 or 2.1.2. This patch addresses the vulnerability that causes all Patreon-authenticated users to be mapped to a single local user ID.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.