Skip to content

CVE-2026-42560 - go-pkgz/auth Patreon identity collision

go-pkgz/auth maps every authenticated Patreon user to the same local token.User.ID in affected releases. The Patreon provider hashes an uninitialized destination field instead of the Patreon account ID, so unrelated Patreon accounts can collapse into the same application identity.

The bug is critical for applications that enable Patreon login and use token.User.ID as an account key, role key, entitlement key, profile key, or subscription-state key. A normal Patreon login can then access or overwrite data associated with another Patreon-authenticated user, and any elevated privileges attached to the shared local ID can apply to every Patreon login.

Affected versions

  • Vulnerable: github.com/go-pkgz/auth >=1.18.0, <=1.25.1
  • Fixed: github.com/go-pkgz/auth 1.25.2+
  • Vulnerable: github.com/go-pkgz/auth/v2 >=2.0.0, <=2.1.1
  • Fixed: github.com/go-pkgz/auth/v2 2.1.2+

Indicator-of-exposure

  • A Go service imports either affected module and resolves a vulnerable version.
  • The service enables the Patreon provider, such as provider.NewPatreon.
  • Application code treats token.User.ID, JWT user claims, or auth middleware context values as the stable local account identifier.
  • Data stores contain the shared broken Patreon ID: patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709.
  • Existing Patreon sessions or long-lived JWTs may still carry the broken ID.

Quick checks:

rg -n "github.com/go-pkgz/auth|NewPatreon|patreon_|token\\.User|User\\.ID" .
go list -m -json github.com/go-pkgz/auth github.com/go-pkgz/auth/v2 2>/dev/null
go list -m all | rg 'github.com/go-pkgz/auth'

Remediation strategy

  • Upgrade github.com/go-pkgz/auth to 1.25.2+ and github.com/go-pkgz/auth/v2 to 2.1.2+.
  • Add a regression test that maps two different Patreon payloads and asserts distinct local user IDs.
  • Expire Patreon-authenticated sessions and JWTs minted by vulnerable code.
  • Search production data for the shared broken ID and produce an operator-owned migration or relinking plan. Do not automatically split accounts without a human-reviewed source of truth.
  • If the fixed dependency cannot be shipped immediately, disable Patreon login until the upgrade and session cleanup are deployed.

The prompt 

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-42560 (go-pkgz/auth Patreon OAuth identity
collision). Produce exactly one output:

- A reviewer-ready PR/change request that patches the dependency, adds
  regression coverage, and documents required operator cleanup, or
- TRIAGE.md if this repository does not own a safe patch path.

## Rules

- Scope only CVE-2026-42560.
- Do not rewrite unrelated authentication providers.
- Do not silently migrate or merge user accounts.
- Do not log OAuth tokens, Patreon payloads, JWTs, cookies, or user secrets.
- Do not auto-merge.

## Steps

1. Inventory all references to `github.com/go-pkgz/auth` and
   `github.com/go-pkgz/auth/v2` in `go.mod`, `go.sum`, vendor trees, generated
   dependency manifests, SBOMs, and container build inputs.
2. Determine whether either module resolves to a vulnerable version:
   - `github.com/go-pkgz/auth >=1.18.0, <=1.25.1`
   - `github.com/go-pkgz/auth/v2 >=2.0.0, <=2.1.1`
3. Check whether the application enables Patreon OAuth, for example
   `provider.NewPatreon`, and whether local accounts, roles, subscriptions, or
   entitlements are keyed from `token.User.ID` or JWT user claims.
4. Upgrade vulnerable modules to fixed releases:
   - `github.com/go-pkgz/auth >=1.25.2`
   - `github.com/go-pkgz/auth/v2 >=2.1.2`
   Then run the normal Go module tidy/vendor workflow used by this repository.
5. Add or update regression tests that exercise Patreon user mapping with at
   least two different Patreon `data.id` fixture values and assert that the
   resulting local IDs are distinct.
6. Add a PR body section named `CVE-2026-42560 operator actions` that states:
   - whether Patreon login is enabled;
   - whether the shared ID
     `patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709` was found in
     application data, fixtures, seed data, or tests;
   - which sessions, JWTs, refresh tokens, or auth caches must be expired;
   - whether affected Patreon-linked accounts need human-reviewed relinking.
7. If Patreon login is enabled and account data may already be collapsed, add a
   conservative runbook or migration stub that identifies impacted records but
   requires explicit operator approval before changing account ownership.
8. Run the relevant validation, normally `go test ./...`, dependency scanning,
   and any auth-provider or API tests in the repository.
9. Use PR title:
   `fix(sec): remediate CVE-2026-42560 in go-pkgz/auth`.

## Stop conditions

- The project cannot consume `go-pkgz/auth` `1.25.2+` or `v2.1.2+` without a
  larger auth redesign.
- The app uses Patreon login but there is no reliable way to identify records
  created with the shared broken ID.
- Tests fail for unrelated pre-existing reasons; document them instead of
  broadening scope.
- This repository only consumes a deployed service owned elsewhere; write
  TRIAGE.md with the owning service, vulnerable module evidence, and required
  rollout actions.

Verification - what the reviewer looks for

  • No resolved dependency path remains on a vulnerable go-pkgz/auth release.
  • Patreon mapping tests prove that different Patreon account IDs produce different local user IDs.
  • Session/token expiry and any account relinking work are called out as operator actions, not hidden in a risky automatic migration.
  • CI, Go tests, and dependency scans pass or unrelated failures are documented.

Watch for

  • Transitive or vendored copies that keep the vulnerable module even after go.mod is updated.
  • Applications that do not call Patreon directly but expose it through shared auth configuration.
  • Existing test fixtures that assert the broken patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709 value.
  • Long-lived JWTs that continue to authorize the shared ID after the dependency upgrade.

References