go-pkgz/auth CVE-2026-42560
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon.
In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage.
Details
The bug is in the Patreon provider's user-mapping logic.
Both the root module and the v2 module create a fresh empty token.User{} and then derive the Patreon ID from userInfo.ID before that field has been populated:
mapUser: func(data UserData, bdata []byte) token.User {
userInfo := token.User{}
uinfoJSON := uinfo{}
if err := json.Unmarshal(bdata, &uinfoJSON); err == nil {
userInfo.ID = "patreon_" + token.HashID(sha1.New(), userInfo.ID)
userInfo.Name = uinfoJSON.Data.Attributes.FullName
userInfo.Picture = uinfoJSON.Data.Attributes.ImageURL
...
}
return userInfo
}Affected locations:
provider/providers.go:257v2/provider/providers.go:257
At that point, userInfo.ID is still the empty string, so the effective result is always:
patreon_ + sha1("")which is:
patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709for every Patreon user.
The code appears to have intended to hash the Patreon user ID returned by Patreon, i.e. uinfoJSON.Data.ID, but instead hashes the uninitialized destination field.
Why this matters:
- Patreon is a documented, supported provider.
- The library documents
token.User.IDas the hashed user ID exposed to consumers. - The OAuth flow stores the mapped user object in JWT claims, and middleware later injects that object into the request context verbatim, consuming handlers receive the provider's wrong user.ID as authoritative identity.
Relevant flow in v2:
v2/provider/oauth2.go:207callsu := p.mapUser(...)v2/provider/oauth2.go:223storesuin token claimsv2/middleware/auth.go:154copies*claims.Userinto request context
The existing tests already encode the broken behavior:
provider/providers_test.go:179provider/providers_test.go:204v2/provider/providers_test.go:179v2/provider/providers_test.go:204
Those tests assert the constant empty-string hash value for Patreon users.
PoC
This can be reproduced locally without contacting Patreon by exercising the provider's mapUser logic with two different Patreon payloads.
From the repository root, create a temporary test file:
v2/provider/patreon_repro_test.go
package provider
import "testing"
func TestPatreonSharedIdentity(t *testing.T) {
r := NewPatreon(Params{
URL: "http://example.com",
Cid: "cid",
Csecret: "secret",
})
a := r.mapUser(UserData{}, []byte(`{
"data": {
"attributes": {
"full_name": "Alice",
"image_url": "https://example.com/alice.png"
},
"id": "1111111"
}
}`))
b := r.mapUser(UserData{}, []byte(`{
"data": {
"attributes": {
"full_name": "Bob",
"image_url": "https://example.com/bob.png"
},
"id": "9999999"
}
}`))
if a.ID != b.ID {
t.Fatalf("expected IDs to collide, got %q and %q", a.ID, b.ID)
}
t.Logf("Alice -> %s", a.ID)
t.Logf("Bob -> %s", b.ID)
}Then run:
cd v2
go test ./provider -run TestPatreonSharedIdentity -vExpected result:
Alice -> patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709
Bob -> patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709This was confirmed locally with three distinct Patreon data.id values; all of them produced the same patreon_da39... identity.
The same issue is reflected in the existing built-in tests, which already assert this constant Patreon ID.
Impact
This is an authentication/identity-collision vulnerability in the Patreon provider.
Impacted users:
- applications using
github.com/go-pkgz/auth/provider.NewPatreon - applications using
github.com/go-pkgz/auth/v2/provider.NewPatreon - applications that rely on
token.User.IDas the stable local account identifier, or use it to key roles, profiles, entitlements, subscription state, or other authorization-relevant records
Practical impact:
- all Patreon-authenticated users in the same application can collapse into the same local account
- data associated with one Patreon user may be exposed to or overwritten by another Patreon user
- Patreon-specific attributes such as
is_paid_subcan leak across unrelated users - if a target application grants any elevated privileges to the local account keyed by this shared Patreon ID, those privileges can effectively apply to every Patreon login
Suggested Fix
The Patreon provider should derive the user ID from the Patreon account ID returned by Patreon, not from the uninitialized destination struct.
In both of these files:
provider/providers.gov2/provider/providers.go
change:
userInfo.ID = "patreon_" + token.HashID(sha1.New(), userInfo.ID)to:
userInfo.ID = "patreon_" + token.HashID(sha1.New(), uinfoJSON.Data.ID)The addition of regression testing with at least two different Patreon data.id values and asserting that they produce different local IDs is recommended.
Because the current bug causes all Patreon users to share a single local ID, maintainers may also want to consider migration guidance for consumers who already have Patreon-linked local accounts created under the broken identifier.
AnalysisAI
Identity collision in the go-pkgz/auth Patreon OAuth provider allows any Patreon-authenticated user to impersonate every other Patreon user in the same application. The Patreon provider hashes an uninitialized variable instead of the actual Patreon account ID, assigning the constant value patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709 to all users. Applications using token.User.ID as the stable account key can experience cross-account access, privilege escalation, and data leakage. Vendor-released patch available in versions 1.25.2 and 2.1.2. No evidence of active exploitation or public POC beyond the vendor's disclosure, but the vulnerability is trivially exploitable with remote unauthenticated access to any affected application.
Technical ContextAI
The go-pkgz/auth library is a Go authentication middleware supporting multiple OAuth2 providers including Patreon. The bug resides in the Patreon provider's mapUser function at provider/providers.go:257 and v2/provider/providers.go:257. The code attempts to derive a unique local user ID by hashing the Patreon account ID, but due to a variable reference error, it hashes userInfo.ID before that field is populated, resulting in hashing the empty string. The SHA1 hash of an empty string is always da39a3ee5e6b4b0d3255bfef95601890afd80709, which is then prefixed with patreon_ and used as the stable user identifier. This represents a CWE-287 (Improper Authentication) flaw where the authentication mechanism fails to uniquely identify users. The OAuth flow stores this incorrect user object in JWT claims, and downstream middleware injects it into request context, causing all consuming code to treat distinct Patreon users as a single local account. Both the root module (github.com/go-pkgz/auth) and v2 module (github.com/go-pkgz/auth/v2) are affected, with vulnerable version ranges of 1.18.0-1.25.1 and 2.0.0-2.1.1 respectively.
RemediationAI
Upgrade to go-pkgz/auth version 1.25.2 (for root module users) or version 2.1.2 (for v2 module users). The vendor-released patch (commit c0b15ee72a8401da83c01781c16636c521f42698) corrects the variable reference from userInfo.ID to uinfoJSON.Data.ID in the Patreon provider's mapUser function, ensuring each Patreon account receives a unique local identifier. Download patched releases from https://github.com/go-pkgz/auth/releases/tag/v1.25.2 or https://github.com/go-pkgz/auth/releases/tag/v2.1.2. For applications that cannot immediately upgrade, disable the Patreon authentication provider entirely and redirect Patreon users to alternative OAuth providers (Google, GitHub, etc.) until patching is complete; this prevents further identity collisions but does not remediate existing collapsed accounts. Organizations with existing Patreon-linked accounts will need data migration: the patch changes the hash input, so previously created accounts under the collision ID (patreon_da39a3ee...) must be manually split and re-associated with correct Patreon user IDs, which may require out-of-band identity verification. No automated migration tooling is provided by the vendor, and the advisory notes this complexity. The side effect of patching is that existing Patreon users will not automatically recognize their old session tokens and may need to re-authenticate, but this is unavoidable given the broken identity foundation.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-f6qq-3m3h-4g42