CVE-2026-42560

Name of the Vulnerable Software and Affected Versions auth versions 1.18.0 through 1.25.1 auth versions 2.0.0 through 2.1.1

Description The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID instead of deriving a unique ID from the account returned by Patreon. This occurs because the mapUser() function hashes an uninitialized destination field rather than the actual Patreon user ID. Consequently, all Patreon-authenticated users are collapsed into a single local identity. Applications that rely on token.User.ID as a stable account key may experience mixing or merging of unrelated users, leading to cross-account access, privilege confusion, and subscription-state leakage.

Recommendations Update to version 1.25.2. Update to version 2.1.2.