—
GO-2026-5348
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation in github.com/go-pkgz/auth
Details
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation in github.com/go-pkgz/auth
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/go-pkgz/auth
Introduced in:
1.18.0 Fixed in: 1.25.2 Fix
go get github.com/go-pkgz/auth@v1.25.2 Go / github.com/go-pkgz/auth/v2
Introduced in:
2.0.0 Fixed in: 2.1.2 Fix
go get github.com/go-pkgz/auth/v2@v2.1.2 References
- https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42 [ADVISORY]
- https://nvd.nist.gov/vuln/detail/CVE-2026-42560 [ADVISORY]
- https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698 [FIX]
- https://github.com/go-pkgz/auth/releases/tag/v1.25.2 [WEB]
- https://github.com/go-pkgz/auth/releases/tag/v2.1.2 [WEB]