<0.1% probability · 21.3th percentile — 2026-05-11
Affected versions
Go auth library 1.18.0 to <1.25.2, 2.0.0 to <2.1.2
Summary
This vulnerability impacts the Go auth library's Patreon OAuth authentication provider. All authenticated Patreon user accounts are incorrectly mapped to a single shared local user ID instead of a unique ID per account. It leads to cross-account access, privilege confusion, and unintended leakage of private user or subscription information. Any application relying on this library for Patreon authentication is directly affected.
Remediation
Upgrade the Go auth library to patched versions 1.25.2 for the 1.x release branch or 2.1.2 for the 2.x release branch. Verify all applications using this library have applied the fix immediately. Review authentication logs for any unusual cross-user access activity after patching.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.