Vulnerability-Lookup

CVE-2026-42560 (GCVE-0-2026-42560)

Vulnerability from cvelistv5 – Published: 2026-05-09 04:15 – Updated: 2026-05-09 04:15

Title

auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation

Summary

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-287 - Improper Authentication

Assigner

GitHub_M

References

URL

Tags

	https://github.com/go-pkgz/auth/security/advisori…	x_refsource_CONFIRM
	https://github.com/go-pkgz/auth/commit/c0b15ee72a…	x_refsource_MISC
	https://github.com/go-pkgz/auth/releases/tag/v1.25.2	x_refsource_MISC
	https://github.com/go-pkgz/auth/releases/tag/v2.1.2	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	go-pkgz	auth	Affected: >= 1.18.0, < 1.25.2 Affected: >= 2.0.0, < 2.1.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "auth",
          "vendor": "go-pkgz",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.18.0, \u003c 1.25.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-09T04:15:01.408Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42"
        },
        {
          "name": "https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698"
        },
        {
          "name": "https://github.com/go-pkgz/auth/releases/tag/v1.25.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-pkgz/auth/releases/tag/v1.25.2"
        },
        {
          "name": "https://github.com/go-pkgz/auth/releases/tag/v2.1.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-pkgz/auth/releases/tag/v2.1.2"
        }
      ],
      "source": {
        "advisory": "GHSA-f6qq-3m3h-4g42",
        "discovery": "UNKNOWN"
      },
      "title": "auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross\u2011user impersonation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42560",
    "datePublished": "2026-05-09T04:15:01.408Z",
    "dateReserved": "2026-04-28T16:56:50.192Z",
    "dateUpdated": "2026-05-09T04:15:01.408Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42560",
      "date": "2026-05-09",
      "epss": "0.0007",
      "percentile": "0.21334"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42560\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-09T06:16:10.603\",\"lastModified\":\"2026-05-09T06:16:10.603\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/go-pkgz/auth/releases/tag/v1.25.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/go-pkgz/auth/releases/tag/v2.1.2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

GHSA-F6QQ-3M3H-4G42

Vulnerability from github – Published: 2026-04-30 20:47 – Updated: 2026-04-30 20:47

Summary

auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation

Details

Summary

The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon.

In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage.

Details

The bug is in the Patreon provider's user-mapping logic.

Both the root module and the v2 module create a fresh empty token.User{} and then derive the Patreon ID from userInfo.ID before that field has been populated:

mapUser: func(data UserData, bdata []byte) token.User {
    userInfo := token.User{}

    uinfoJSON := uinfo{}
    if err := json.Unmarshal(bdata, &uinfoJSON); err == nil {
        userInfo.ID = "patreon_" + token.HashID(sha1.New(), userInfo.ID)
        userInfo.Name = uinfoJSON.Data.Attributes.FullName
        userInfo.Picture = uinfoJSON.Data.Attributes.ImageURL
        ...
    }
    return userInfo
}

Affected locations:

provider/providers.go:257
v2/provider/providers.go:257

At that point, userInfo.ID is still the empty string, so the effective result is always:

patreon_ + sha1("")

which is:

patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709

for every Patreon user.

The code appears to have intended to hash the Patreon user ID returned by Patreon, i.e. uinfoJSON.Data.ID, but instead hashes the uninitialized destination field.

Why this matters:

Patreon is a documented, supported provider.
The library documents token.User.ID as the hashed user ID exposed to consumers.
The OAuth flow stores the mapped user object in JWT claims, and middleware later injects that object into the request context verbatim, consuming handlers receive the provider's wrong user.ID as authoritative identity.

Relevant flow in v2:

v2/provider/oauth2.go:207 calls u := p.mapUser(...)
v2/provider/oauth2.go:223 stores u in token claims
v2/middleware/auth.go:154 copies *claims.User into request context

The existing tests already encode the broken behavior:

provider/providers_test.go:179
provider/providers_test.go:204
v2/provider/providers_test.go:179
v2/provider/providers_test.go:204

Those tests assert the constant empty-string hash value for Patreon users.

PoC

This can be reproduced locally without contacting Patreon by exercising the provider's mapUser logic with two different Patreon payloads.

From the repository root, create a temporary test file:

v2/provider/patreon_repro_test.go

package provider

import "testing"

func TestPatreonSharedIdentity(t *testing.T) {
    r := NewPatreon(Params{
        URL:     "http://example.com",
        Cid:     "cid",
        Csecret: "secret",
    })

    a := r.mapUser(UserData{}, []byte(`{
        "data": {
            "attributes": {
                "full_name": "Alice",
                "image_url": "https://example.com/alice.png"
            },
            "id": "1111111"
        }
    }`))

    b := r.mapUser(UserData{}, []byte(`{
        "data": {
            "attributes": {
                "full_name": "Bob",
                "image_url": "https://example.com/bob.png"
            },
            "id": "9999999"
        }
    }`))

    if a.ID != b.ID {
        t.Fatalf("expected IDs to collide, got %q and %q", a.ID, b.ID)
    }

    t.Logf("Alice -> %s", a.ID)
    t.Logf("Bob   -> %s", b.ID)
}

Then run:

cd v2
go test ./provider -run TestPatreonSharedIdentity -v

Expected result:

Alice -> patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709
Bob   -> patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709

This was confirmed locally with three distinct Patreon data.id values; all of them produced the same patreon_da39... identity.

The same issue is reflected in the existing built-in tests, which already assert this constant Patreon ID.

Impact

This is an authentication/identity-collision vulnerability in the Patreon provider.

Impacted users:

applications using github.com/go-pkgz/auth/provider.NewPatreon
applications using github.com/go-pkgz/auth/v2/provider.NewPatreon
applications that rely on token.User.ID as the stable local account identifier, or use it to key roles, profiles, entitlements, subscription state, or other authorization-relevant records

Practical impact:

all Patreon-authenticated users in the same application can collapse into the same local account
data associated with one Patreon user may be exposed to or overwritten by another Patreon user
Patreon-specific attributes such as is_paid_sub can leak across unrelated users
if a target application grants any elevated privileges to the local account keyed by this shared Patreon ID, those privileges can effectively apply to every Patreon login

Suggested Fix

The Patreon provider should derive the user ID from the Patreon account ID returned by Patreon, not from the uninitialized destination struct.

In both of these files:

provider/providers.go
v2/provider/providers.go

change:

userInfo.ID = "patreon_" + token.HashID(sha1.New(), userInfo.ID)

to:

userInfo.ID = "patreon_" + token.HashID(sha1.New(), uinfoJSON.Data.ID)

The addition of regression testing with at least two different Patreon data.id values and asserting that they produce different local IDs is recommended.

Because the current bug causes all Patreon users to share a single local ID, maintainers may also want to consider migration guidance for consumers who already have Patreon-linked local accounts created under the broken identifier.

Severity ?

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.25.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-pkgz/auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.18.0"
            },
            {
              "fixed": "1.25.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-pkgz/auth/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-30T20:47:24Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe Patreon OAuth provider maps every authenticated Patreon account to the same local `user.ID`, instead of deriving a unique ID from the Patreon account returned by Patreon.\n\nIn practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts `token.User.ID` as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage.\n\n### Details\nThe bug is in the Patreon provider\u0027s user-mapping logic.\n\nBoth the root module and the `v2` module create a fresh empty `token.User{}` and then derive the Patreon ID from `userInfo.ID` before that field has been populated:\n\n```go\nmapUser: func(data UserData, bdata []byte) token.User {\n    userInfo := token.User{}\n\n    uinfoJSON := uinfo{}\n    if err := json.Unmarshal(bdata, \u0026uinfoJSON); err == nil {\n        userInfo.ID = \"patreon_\" + token.HashID(sha1.New(), userInfo.ID)\n        userInfo.Name = uinfoJSON.Data.Attributes.FullName\n        userInfo.Picture = uinfoJSON.Data.Attributes.ImageURL\n        ...\n    }\n    return userInfo\n}\n```\n\nAffected locations:\n\n- `provider/providers.go:257`\n- `v2/provider/providers.go:257`\n\nAt that point, `userInfo.ID` is still the empty string, so the effective result is always:\n\n```text\npatreon_ + sha1(\"\")\n```\n\nwhich is:\n\n```text\npatreon_da39a3ee5e6b4b0d3255bfef95601890afd80709\n```\n\nfor every Patreon user.\n\nThe code appears to have intended to hash the Patreon user ID returned by Patreon, i.e. `uinfoJSON.Data.ID`, but instead hashes the uninitialized destination field.\n\nWhy this matters:\n\n1. Patreon is a documented, supported provider.\n2. The library documents `token.User.ID` as the hashed user ID exposed to consumers.\n3. The OAuth flow stores the mapped user object in JWT claims, and middleware later injects that object into the request context verbatim, consuming handlers receive the provider\u0027s wrong user.ID as authoritative identity.\n\nRelevant flow in `v2`:\n\n- `v2/provider/oauth2.go:207` calls `u := p.mapUser(...)`\n- `v2/provider/oauth2.go:223` stores `u` in token claims\n- `v2/middleware/auth.go:154` copies `*claims.User` into request context\n\nThe existing tests already encode the broken behavior:\n\n- `provider/providers_test.go:179`\n- `provider/providers_test.go:204`\n- `v2/provider/providers_test.go:179`\n- `v2/provider/providers_test.go:204`\n\nThose tests assert the constant empty-string hash value for Patreon users.\n\n### PoC\nThis can be reproduced locally without contacting Patreon by exercising the provider\u0027s `mapUser` logic with two different Patreon payloads.\n\nFrom the repository root, create a temporary test file:\n\n`v2/provider/patreon_repro_test.go`\n\n```go\npackage provider\n\nimport \"testing\"\n\nfunc TestPatreonSharedIdentity(t *testing.T) {\n    r := NewPatreon(Params{\n        URL:     \"http://example.com\",\n        Cid:     \"cid\",\n        Csecret: \"secret\",\n    })\n\n    a := r.mapUser(UserData{}, []byte(`{\n        \"data\": {\n            \"attributes\": {\n                \"full_name\": \"Alice\",\n                \"image_url\": \"https://example.com/alice.png\"\n            },\n            \"id\": \"1111111\"\n        }\n    }`))\n\n    b := r.mapUser(UserData{}, []byte(`{\n        \"data\": {\n            \"attributes\": {\n                \"full_name\": \"Bob\",\n                \"image_url\": \"https://example.com/bob.png\"\n            },\n            \"id\": \"9999999\"\n        }\n    }`))\n\n    if a.ID != b.ID {\n        t.Fatalf(\"expected IDs to collide, got %q and %q\", a.ID, b.ID)\n    }\n\n    t.Logf(\"Alice -\u003e %s\", a.ID)\n    t.Logf(\"Bob   -\u003e %s\", b.ID)\n}\n```\n\nThen run:\n\n```bash\ncd v2\ngo test ./provider -run TestPatreonSharedIdentity -v\n```\n\nExpected result:\n\n```text\nAlice -\u003e patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709\nBob   -\u003e patreon_da39a3ee5e6b4b0d3255bfef95601890afd80709\n```\n\nThis was confirmed locally with three distinct Patreon `data.id` values; all of them produced the same `patreon_da39...` identity.\n\nThe same issue is reflected in the existing built-in tests, which already assert this constant Patreon ID.\n\n### Impact\nThis is an authentication/identity-collision vulnerability in the Patreon provider.\n\nImpacted users:\n\n- applications using `github.com/go-pkgz/auth/provider.NewPatreon`\n- applications using `github.com/go-pkgz/auth/v2/provider.NewPatreon`\n- applications that rely on `token.User.ID` as the stable local account identifier, or use it to key roles, profiles, entitlements, subscription state, or other authorization-relevant records\n\nPractical impact:\n\n- all Patreon-authenticated users in the same application can collapse into the same local account\n- data associated with one Patreon user may be exposed to or overwritten by another Patreon user\n- Patreon-specific attributes such as `is_paid_sub` can leak across unrelated users\n- if a target application grants any elevated privileges to the local account keyed by this shared Patreon ID, those privileges can effectively apply to every Patreon login\n\n\n### Suggested Fix\nThe Patreon provider should derive the user ID from the Patreon account ID returned by Patreon, not from the uninitialized destination struct.\n\nIn both of these files:\n\n- `provider/providers.go`\n- `v2/provider/providers.go`\n\nchange:\n\n```go\nuserInfo.ID = \"patreon_\" + token.HashID(sha1.New(), userInfo.ID)\n```\n\nto:\n\n```go\nuserInfo.ID = \"patreon_\" + token.HashID(sha1.New(), uinfoJSON.Data.ID)\n```\n\nThe addition of regression testing with at least two different Patreon `data.id` values and asserting that they produce different local IDs is recommended.\n\nBecause the current bug causes all Patreon users to share a single local ID, maintainers may also want to consider migration guidance for consumers who already have Patreon-linked local accounts created under the broken identifier.",
  "id": "GHSA-f6qq-3m3h-4g42",
  "modified": "2026-04-30T20:47:24Z",
  "published": "2026-04-30T20:47:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-pkgz/auth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-pkgz/auth/releases/tag/v1.25.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-pkgz/auth/releases/tag/v2.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross\u2011user impersonation"
}

FKIE_CVE-2026-42560

Vulnerability from fkie_nvd - Published: 2026-05-09 06:16 - Updated: 2026-05-09 06:16

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698
	security-advisories@github.com	https://github.com/go-pkgz/auth/releases/tag/v1.25.2
	security-advisories@github.com	https://github.com/go-pkgz/auth/releases/tag/v2.1.2
	security-advisories@github.com	https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2."
    }
  ],
  "id": "CVE-2026-42560",
  "lastModified": "2026-05-09T06:16:10.603",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-09T06:16:10.603",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/go-pkgz/auth/releases/tag/v1.25.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/go-pkgz/auth/releases/tag/v2.1.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42560 (GCVE-0-2026-42560)

GHSA-F6QQ-3M3H-4G42

Summary

Details

PoC

Impact

Suggested Fix

FKIE_CVE-2026-42560

Tags

Sightings

Nomenclature