5 matches found
CVE-2026-9087 Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login
A flaw was found in Keycloak. The cross-session verification proof is keyed only by local userId, idpAlias and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account...
PT-2026-42199
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists where the cross-session verification proof is keyed only by the userId and idpAlias and is not bound to the upstream identity that was actually verified. This allows a second...
CVE-2026-42560
auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. ...
CVE-2026-42560
The CVE describes a vulnerability in the Patreon OAuth provider used by github.com/go-pkgz/auth, where the mapUser logic computes a local user ID from an uninitialized field, causing every Patreon-authenticated user to share the same local identity. The GHSA advisory details show the code path wh...
GHSA-F6QQ-3M3H-4G42 auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation
Summary The Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a...