Ghostwire

CVE-2026-42560: auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user...

CRITICAL CVSS 9.1 Exploit Available

Published: April 30, 2026 | Last Modified: April 30, 2026

Description

auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation

Ghostwire Analysis — What This Means Practically

Critical CVSS score indicates maximum severity — remote code execution, authentication bypass, or complete system compromise is likely possible.
Exploit code is reported to be available, increasing the likelihood of active exploitation.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (1 articles)

References

github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42
github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698
github.com/go-pkgz/auth/releases/tag/v1.25.2
github.com/go-pkgz/auth/releases/tag/v2.1.2
github.com/advisories/GHSA-f6qq-3m3h-4g42
www.tenable.com/cve/CVE-2026-42560
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-42560