Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-42560

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-09 May, 2026 | 04:15
Updated At-09 May, 2026 | 04:15
Rejected At-
Credits

auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–ĽCommon Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:09 May, 2026 | 04:15
Updated At:09 May, 2026 | 04:15
Rejected At:
â–ĽCVE Numbering Authority (CNA)
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2.

Affected Products
Vendor
go-pkgz
Product
auth
Versions
Affected
  • >= 1.18.0, < 1.25.2
  • >= 2.0.0, < 2.1.2
Problem Types
TypeCWE IDDescription
CWECWE-287CWE-287: Improper Authentication
Type: CWE
CWE ID: CWE-287
Description: CWE-287: Improper Authentication
Metrics
VersionBase scoreBase severityVector
3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42
x_refsource_CONFIRM
https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698
x_refsource_MISC
https://github.com/go-pkgz/auth/releases/tag/v1.25.2
x_refsource_MISC
https://github.com/go-pkgz/auth/releases/tag/v2.1.2
x_refsource_MISC
Hyperlink: https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698
Resource:
x_refsource_MISC
Hyperlink: https://github.com/go-pkgz/auth/releases/tag/v1.25.2
Resource:
x_refsource_MISC
Hyperlink: https://github.com/go-pkgz/auth/releases/tag/v2.1.2
Resource:
x_refsource_MISC
Information is not available yet
â–ĽNational Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:09 May, 2026 | 06:16
Updated At:09 May, 2026 | 06:16

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-287Primarysecurity-advisories@github.com
CWE ID: CWE-287
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698security-advisories@github.com
N/A
https://github.com/go-pkgz/auth/releases/tag/v1.25.2security-advisories@github.com
N/A
https://github.com/go-pkgz/auth/releases/tag/v2.1.2security-advisories@github.com
N/A
https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42security-advisories@github.com
N/A
Hyperlink: https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/go-pkgz/auth/releases/tag/v1.25.2
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/go-pkgz/auth/releases/tag/v2.1.2
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

109Records found
CVE-2020-14158
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.37% / 58.88%
||
7 Day CHG~0.00%
Published-30 Jul, 2020 | 13:13
Updated-04 Aug, 2024 | 12:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ABUS Secvest FUMO50110 hybrid module does not have any security mechanism that ensures confidentiality or integrity of RF packets that are exchanged with an alarm panel. This makes it easier to conduct wAppLoxx authentication-bypass attacks.

Action-Not Available
Vendor-abusn/a
Product-secvest_hybrid_fumo50110_firmwaresecvest_hybrid_fumo50110n/a
CWE ID-CWE-287
Improper Authentication
CVE-2024-23255
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.15% / 35.23%
||
7 Day CHG~0.00%
Published-08 Mar, 2024 | 01:36
Updated-02 Apr, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authentication issue was addressed with improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Photos in the Hidden Photos Album may be viewed without authentication.

Action-Not Available
Vendor-Apple Inc.
Product-iphone_osipad_osmacosmacOSiOS and iPadOSiosipadosmacos
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-21638
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-3.55% / 87.76%
||
7 Day CHG~0.00%
Published-10 Jan, 2024 | 21:44
Updated-03 Jun, 2025 | 14:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure IPAM solution Elevation of Privilege Vulnerability

Azure IPAM (IP Address Management) is a lightweight solution developed on top of the Azure platform designed to help Azure customers manage their IP Address space easily and effectively. By design there is no write access to customers' Azure environments as the Service Principal used is only assigned the Reader role at the root Management Group level. Until recently, the solution lacked the validation of the passed in authentication token which may result in attacker impersonating any privileged user to access data stored within the IPAM instance and subsequently from Azure, causing an elevation of privilege. This vulnerability has been patched in version 3.0.0.

Action-Not Available
Vendor-AzureMicrosoft Corporation
Product-azure_ipamipam
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-287
Improper Authentication
CVE-2022-39355
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.32% / 55.12%
||
7 Day CHG~0.00%
Published-26 Oct, 2022 | 00:00
Updated-23 Apr, 2025 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Discourse Patreon vulnerable to improper validation of email during Patreon authentication

Discourse Patreon enables syncronization between Discourse Groups and Patreon rewards. On sites with Patreon login enabled, an improper authentication vulnerability could be used to take control of a victim's forum account. This vulnerability is patched in commit number 846d012151514b35ce42a1636c7d70f6dcee879e of the discourse-patreon plugin. Out of an abundance of caution, any Discourse accounts which have logged in with an unverified-email Patreon account will be logged out and asked to verify their email address on their next login. As a workaround, disable the patreon integration and log out all users with associated Patreon accounts.

Action-Not Available
Vendor-Civilized Discourse Construction Kit, Inc.
Product-patreondiscourse-patreon
CWE ID-CWE-287
Improper Authentication
CVE-2022-39289
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.37% / 59.00%
||
7 Day CHG~0.00%
Published-07 Oct, 2022 | 00:00
Updated-22 Apr, 2025 | 17:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Database log access in ZoneMinder

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable to upgrade should disable database logging.

Action-Not Available
Vendor-zoneminderZoneMinder
Product-zoneminderzoneminder
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-862
Missing Authorization
CVE-2022-34372
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-1.86% / 83.16%
||
7 Day CHG~0.00%
Published-01 Sep, 2022 | 18:45
Updated-17 Sep, 2024 | 01:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell PowerProtect Cyber Recovery versions before 19.11.0.2 contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially access and interact with the docker registry API leading to an authentication bypass. The attacker may potentially alter the docker images leading to a loss of integrity and confidentiality

Action-Not Available
Vendor-Dell Inc.
Product-powerprotect_cyber_recoveryCyber Recovery
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2022-31013
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.50% / 65.88%
||
7 Day CHG~0.00%
Published-31 May, 2022 | 22:35
Updated-23 Apr, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication bypass in Vartalap chat-server

Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function `this.authProvider.verifyAccessKey` is an async function, as the code is not using `await` to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.

Action-Not Available
Vendor-chat_server_projectramank775
Product-chat_serverchat-server
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-20
Improper Input Validation
CVE-2022-2757
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.21% / 43.80%
||
7 Day CHG~0.00%
Published-13 Dec, 2022 | 21:18
Updated-16 Apr, 2025 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to the lack of adequately implemented access-control rules, all versions Kingspan TMS300 CS are vulnerable to an attacker viewing and modifying the application settings without authenticating by accessing a specific uniform resource locator (URL) on the webserver.

Action-Not Available
Vendor-kingspanKingspan
Product-tms300_cs_firmwaretms300_csTMS300 CS
CWE ID-CWE-287
Improper Authentication
CVE-2023-33054
Matching Score-4
Assigner-Qualcomm, Inc.
ShareView Details
Matching Score-4
Assigner-Qualcomm, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.13% / 31.97%
||
7 Day CHG~0.00%
Published-05 Dec, 2023 | 03:04
Updated-11 Aug, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Authentication in GPS HLOS Driver

Cryptographic issue in GPS HLOS Driver while downloading Qualcomm GNSS assistance data.

Action-Not Available
Vendor-Qualcomm Technologies, Inc.
Product-qcm8550_firmwareqcs410_firmwaresa6150p_firmwaresd865_5gsw5100pqca6595qcs610_firmwarewcd9335wcd9370qca8081_firmwaresm7250-absnapdragon_x50_5g_modem-rf_systemqca6696wcd9340_firmwarewcd9341_firmwarewcd9395_firmware8998qcn6024sdm845qcc710_firmwareqca6426wcn6740_firmwarewcn3610sm7325-ae_firmwarewsa8832_firmwareqca8337qca6426_firmwarewcd9395qca6574au_firmwarewcn785x-5qam8295psm8150_firmwarewcd9341qca6574auwcd9390snapdragon_x12_lte_modemwsa8810_firmwaresd730_firmwarewsa8845h_firmwarecsra6640wcn3660b_firmwaresd730qcs5430sm8150-acsm6375_firmwaresd835_firmwareqcn6024_firmwaresnapdragon_4_gen_2_mobile_platform_firmwaresm7150-acqcm5430qcm5430_firmwarevideo_collaboration_vc1_platform_firmwaresm8350qcm6125_firmwareqcc710sm6375sm7250-aa_firmware315_5g_iot_modem_firmwaresda845sm8450_firmwarevideo_collaboration_vc1_platformqfw7114wcd9385_firmwareqca6421315_5g_iot_modemsnapdragon_x55_5g_modem-rf_systemqca6310sa8155_firmwaresm7150-abqcs603_firmwareqca6335qcs4490snapdragon_8\+_gen_2_mobile_platform_firmwarewsa8845sa6155pqca6421_firmwareqcm6125sm7150-ac_firmwarewsa8810video_collaboration_vc5_platform_firmwaresnapdragon_8\+_gen_2_mobile_platformsm8350-acqca6595ausm7325_firmwaresm7315_firmwarewcd9326_firmwaresa6155p_firmwarewsa8840qcs8550_firmwaresd835qfw7124_firmwareqca6436_firmwaresnapdragon_wear_4100\+_platform_firmwareqcs4490_firmwaresnapdragon_8_gen_2_mobile_platformwcn3910_firmwaresnapdragon_7c\+_gen_3_compute_firmwaresm8250-ac_firmwareqca6420wcn3910wcd9370_firmwaresnapdragon_x55_5g_modem-rf_system_firmwarewcn3660bqca6574asm7325-aeqca6174asa8195pwcd9340qcs8250_firmwareqcm2290sm6150-acsm6225snapdragon_auto_5g_modem-rf_gen_2qca6335_firmwareqcm6490sm8150-ac_firmwaresm8550p_firmwarewcn3998_firmwareqcm8550wcn3988qcn9024qca6574sm7325-afsnapdragon_x75_5g_modem-rf_systemqca6430_firmwareqcs605qcn9024_firmwarewsa8845hwcd9326sa6150psm7250-aaqcs410qcm2290_firmwarewcn685x-1_firmwaresa8155p_firmwaresa8155pwsa8830snapdragon_675_mobile_platformsm8550psa6145pwcn785x-1_firmwarear8035sa6155qcm4325qcn6224sm8475_firmwareqca6698aqqm215_firmwarewcn3950_firmwaresm6250sm7250-acwcn685x-1sm7325p_firmwaresa8145p_firmwarewcn3680bsa8150p_firmwaresnapdragon_w5\+_gen_1_wearable_platformvideo_collaboration_vc3_platform_firmwarewcn3990qcs6490qcs8250wsa8830_firmwaresm7150-aaqcn6224_firmwareqca6431wsa8845_firmwaresd660_firmwarewsa8832qcs603sxr2130_firmwaresnapdragon_675_mobile_platform_firmwarear8035_firmwaresm8475snapdragon_w5\+_gen_1_wearable_platform_firmwareqca6320sm8250-ab_firmwaresd888_firmwareqcs6125_firmwaresm6225_firmwaresm7325-af_firmwarewsa8815_firmwaresm8250-absa8195p_firmwareqca8337_firmwaresnapdragon_x12_lte_modem_firmwareqcm4290sm7325sm6125_firmwareqca9377_firmwareqcm6490_firmwaresm8350-ac_firmwaresm7250p_firmwareqcm4490_firmwarewcn785x-5_firmwarewcn3950snapdragon_xr2_5g_platformqcs6125sda845_firmwareapq5053-aa_firmwaresnapdragon_x65_5g_modem-rf_system_firmwaresnapdragon_auto_5g_modem-rf_gen_2_firmwaresnapdragon_7c\+_gen_3_computesnapdragon_xr2\+_gen_1_platform_firmwaresm4350_firmwaresm7350-ab_firmwarewcn3991sa8295p_firmwareapq5053-aasm7250psm6250_firmwaresa8155sm7150-aa_firmwareqca6584ausd888qca6320_firmwareqcn6274_firmwaresnapdragon_4_gen_2_mobile_platformsw5100_firmwarewcn685x-5wcn6740qca6310_firmwaresm6225-ad_firmwareqfw7114_firmwareqcs605_firmwareqca6595_firmwaresm8250-acsm8250_firmwarewcd9380sa6145p_firmwaresa6155_firmwaresnapdragon_xr2_5g_platform_firmwaresa8150psm7350-absm8350_firmwaresm6225-adsm4350-acsdm660_firmwaresw5100video_collaboration_vc3_platformaqt1000sm8150wcn3991_firmwareqam8295p_firmwaresd855sdm660qca6431_firmwarewcn3990_firmwaresm7315sm6125qca6698aq_firmwareqcs2290wcd93858998_firmwareqcs2290_firmwarewcn3615wcn3610_firmwareqcs4290wcd9390_firmwarewcn6750qca6430wcn6750_firmwaresdx55_firmwarewcn3615_firmwaresm7250-ab_firmwaresxr2130qcm44908098_firmwaresm7150-ab_firmwarecsra6640_firmwaresm4350snapdragon_xr2\+_gen_1_platformqca6174a_firmwaresm7325pwcn3998video_collaboration_vc5_platformqca6420_firmwareaqt1000_firmwareqcs6490_firmwaresm8450sm6150-ac_firmwaresnapdragon_x65_5g_modem-rf_systemsd855_firmwarewcd9335_firmwarewcn3980_firmwareqca6436qca6584au_firmwareqcn6274wsa8835wsa8840_firmwareqca6391_firmwareqfw7124qca6595au_firmwaresw5100p_firmwaresm8250qca6696_firmwareqcs4290_firmwarewcd9380_firmwareqca6574_firmwarecsra6620qca8081sd660wsa8815sm4375sg4150pqca9377sm4375_firmwareqcm4325_firmwareqca6574a_firmwaresdx55qcm4290_firmwaresdm845_firmwarewcd9375_firmwareqca6391wcn785x-1qcs5430_firmwaresg4150p_firmwaresnapdragon_8_gen_2_mobile_platform_firmwarecsra6620_firmwaresa8295p8098snapdragon_x50_5g_modem-rf_system_firmwareqcs8550qm215sd865_5g_firmwarewcd9375wcn685x-5_firmwarewcn3988_firmwaresa8145psm4350-ac_firmwaresnapdragon_wear_4100\+_platformwsa8835_firmwaresnapdragon_x75_5g_modem-rf_system_firmwarewcn3980sm7250-ac_firmwarewcn3680b_firmwareqcs610Snapdragon
CWE ID-CWE-287
Improper Authentication
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found