An authentication mapping vulnerability in the auth library allows for cross-account access and privilege confusion by merging unrelated Patreon user identities.

This vulnerability involves improper identity mapping where the Patreon OAuth provider fails to derive a unique local user ID, instead collapsing all authenticated Patreon users into a single identity. The issue affects authenticated users of the application.

The ability to merge unrelated user accounts poses a severe threat to data integrity and privacy. With a CVSS score of 9.1, this vulnerability can lead to unauthorized access to sensitive user data, privilege escalation where a standard user may inherit administrative permissions, and the leakage of subscription states, potentially resulting in significant reputational damage and compliance failures.

Immediate Action: Update the auth library to version 1.25.2 or 2.1.2 immediately to implement the correct unique ID derivation logic.

Proactive Monitoring: Review application access logs for unusual patterns where a single user ID appears to be associated with multiple distinct login sessions or email addresses.

Compensating Controls: If immediate patching is not feasible, temporarily disable Patreon-based authentication to prevent unauthorized account merging.

Public Exploit Available: Unknown

Given the severity of this authentication bypass, organizations utilizing the auth library for Patreon integrations must prioritize this update. Failure to address this flaw leaves user accounts vulnerable to identity collision and unauthorized access.