CVE-2026-42560: Critical Patreon OAuth Flaw Merges User Identities

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-287
CVE-2026-42560: Critical Patreon OAuth Flaw Merges User Identities

The National Vulnerability Database has disclosed CVE-2026-42560, a critical vulnerability (CVSS 9.1) affecting applications using the auth library for Patreon OAuth authentication. Versions 1.18.0 through 1.25.1, and 2.0.0 through 2.1.1, are impacted. This flaw causes the Patreon OAuth provider to map all authenticated Patreon accounts to a single local user ID within the application.

This fundamental design error means that applications trusting token.User.ID as a unique account identifier will effectively collapse all Patreon-authenticated users into a single identity. The National Vulnerability Database warns this can lead to severe issues, including cross-account access, privilege confusion, and the leakage of subscription states between unrelated Patreon users. It’s a critical breakdown of user isolation.

Patches are available in versions 1.25.2 and 2.1.2. Any application integrating Patreon OAuth via the auth library, especially those relying on token.User.ID for user separation, must prioritize updating to these patched versions immediately to prevent widespread account compromise and data exposure.

What This Means For You

  • If your application uses the `auth` library for Patreon OAuth, you are exposed to CVE-2026-42560. This isn't just a bug; it's a complete failure of user separation. All Patreon users authenticating through your app could effectively become the same user. Audit your application versions and patch to 1.25.2 or 2.1.2 immediately. Failing to do so means any Patreon user could potentially access any other Patreon user's data or privileges within your application.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Initial Access T1539 Steal Application Access Token Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1078.004 Initial Access

Patreon OAuth Identity Merging via Vulnerable Auth Library — CVE-2026-42560

Sigma YAML — free preview 
title: Patreon OAuth Identity Merging via Vulnerable Auth Library — CVE-2026-42560
id: scw-2026-05-09-ai-1
status: experimental
level: critical
description: |
  This rule detects the specific authentication flow involving Patreon OAuth. The vulnerability CVE-2026-42560 occurs when an application uses a vulnerable version of the auth library (1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2) to handle Patreon OAuth. Successful authentication via this endpoint, especially when returning a 200 status code, could indicate the merging of user identities due to the flawed implementation where all Patreon users map to the same local user ID. This is the primary indicator of the vulnerability being exploited or present.
author: SCW Feed Engine (AI-generated)
date: 2026-05-09
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42560/
tags:
  - attack.initial_access
  - attack.t1078.004
logsource:
    category: authentication
detection:
  selection:
      uri|contains:
          - '/oauth/patreon'
      cs-uri-query|contains:
          - 'code='
      sc-status:
          - 200
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42560 Auth Bypass auth library versions 1.18.0 to before 1.25.2
CVE-2026-42560 Auth Bypass auth library versions 2.0.0 to before 2.1.2
CVE-2026-42560 Privilege Escalation Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID
CVE-2026-42560 Information Disclosure subscription-state leakage due to cross-account access

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 09, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Hikvision Switches: Authenticated RCE in Discontinued Products

CVE-2026-3828 — Some Hikvision switch products (discontinued since December 2023) are vulnerable to authenticated remote command execution due to insufficient input validation. Attackers with valid...

vulnerabilityCVEhigh-severity
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-32683 — Some EZVIZ products utilize older versions of cloud feature

CVE-2026-32683 — Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit...

vulnerabilityCVEmedium-severity
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 1 IOC /⚙ 3 Sigma

CVE-2026-1749 — Some HikCentral Professional Versions. This Vulnerability

CVE-2026-1749 — There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission.

vulnerabilityCVEmedium-severity
/SCW Vulnerability Desk /MEDIUM /6.8 /⚑ 1 IOC /⚙ 2 Sigma