← Back
CVE-2026-42560
critical
CVSS 9.1
Authentication Bypass in oauth (CVE-2026-42560)
Summary
authentication bypass in oauth (CVE-2026-42560). Confidential information can be exposed externally. Exploitable via ``user.ID``.
AI summary openai / gpt-4o
This vulnerability is related to Patreon accounts, affecting certain software versions. It causes different accounts authenticated via Patreon to be recognized as the same user. This issue could lead to cross-account access and privilege confusion, as well as potential leakage of subscription information. The affected versions are from 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2. The issue is fixed in versions 1.25.2 and 2.1.2. It is recommended to update to an appropriate version.
This vulnerability arises from the incorrect user ID mapping by the Patreon OAuth provider, collapsing all users into a single local identifier. Affected versions are 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, with fixes available in versions 1.25.2 and 2.1.2. No workaround exists. Vulnerable functions lie in `provider/providers.go` and `v2/provider/providers.go`, where `userInfo.ID` is improperly initialized. The issue was discovered by Nadav0077. This vulnerability permits remote, unauthenticated attacks with ease.
❓ What is the problem
Patreon OAuth provider mapping issue causing all accounts to be treated as one local user.
📍 Affected scope
`provider/providers.go` and `v2/provider/providers.go`, specifically in the `mapUser` function.
🔥 Severity
Critical severity with a CVSS score of 9.1, allowing unauthorized remote access.
🔧 How to fix
Update to versions 1.25.2 or 2.1.2 where the issue is resolved.
🛡️ Workaround
No workaround is identified from the provided sources.
🔍 Detection
Tests that assert the constant empty-string hash verify the issue.
Related past incidents Similar incidents extracted from past CVEs
Also dealing with improper handling of user IDs leading to impersonation.
Another incident causing cross-account data access due to session management flaws.
Related to token-based authentication failures in OAuth systems.
If this happens at your company Expected impact per business scenario
📌 Organizations using Patreon for user authentication in SaaS applications.
Leads to potential unauthorized access between different accounts, compromising user data privacy.
📌 Companies relying on OAuth tokens as stable account keys for user management.
Could face data breaches resulting from privilege mix-up and identity confusion.
📌 Enterprises with subscription-based services that integrate Patreon OAuth.
Risk of subscription state leaks that could affect revenue and user trust.
Recommended action
Organizations should immediately update affected libraries to patched versions to prevent unauthorized access and data breaches.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
Audit SBOM/dependencies for affected components.依存マニフェストで影響コンポーネントを特定する。
-
2Match against affected range verify
Confirm if version satisfies `>= 1.18.0, <= 1.25.1`Step 1 で見つかったバージョンが影響範囲 `>= 1.18.0, <= 1.25.1` に該当するか照合。本番で稼働中ならインシデント扱い。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
References
- web [email protected]
- web [email protected]
- web [email protected]
- web [email protected]