The vulnerability arises from the Patreon OAuth provider in the go-pkgz/auth library mapping every authenticated Patreon account to the same local user.ID value, rather than deriving a unique identifier from the Patreon account. This flaw causes all Patreon-authenticated users to collapse into a single local identity. Applications that rely on token.User.ID as a stable account identifier can inadvertently merge unrelated users, resulting in cross‑account access, privilege confusion and leakage of subscription data. The weakness is an access control bypass identified as CWE‑287.

Vulnerable applications use the go-pkgz/auth library version range 1.18.0 through 1.25.2‑exclusive in the v1 branch, or 2.0.0 through 2.1.2‑exclusive in the v2 branch. Versions 1.25.2 and 2.1.2 contain the patch that assigns unique local IDs for each Patreon account. Systems built on earlier releases are at risk unless the library is updated.

The CVSS score of 9.1 indicates high severity and a substantial impact if exploited. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attacks are likely to occur within applications that trust the provider’s user identifier for authentication state. The exploit requires only a legitimate Patreon login and the affected library, so an attacker can impersonate any Patreon user without additional privileges. Given the critical Nature of the flaw and the ease of exploitation, a rapid response is advised.