Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    30 vulnerabilities by better-auth

    CVE-2026-53518 (GCVE-0-2026-53518)

    Vulnerability from nvd – Published: 2026-07-15 17:17 – Updated: 2026-07-15 18:07
    VLAI
    Title
    Better Auth OAuth Provider: Race Condition in Authorization Code Exchange Enables Multi-Use Code Redemption
    Summary
    Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for the authorization_code grant redeems a single-use authorization code through a non-atomic find-then-delete sequence, allowing two concurrent requests to pass the read step and mint independent access tokens, refresh tokens, and ID tokens; legacy /oauth2/token and /mcp/token paths in oidc-provider and mcp plugins share the same primitive. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 1.6.0, < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53518",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T18:07:40.302581Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T18:07:49.190Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for the authorization_code grant redeems a single-use authorization code through a non-atomic find-then-delete sequence, allowing two concurrent requests to pass the read step and mint independent access tokens, refresh tokens, and ID tokens; legacy /oauth2/token and /mcp/token paths in oidc-provider and mcp plugins share the same primitive. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:17:06.410Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-7w99-5wm4-3g79",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-7w99-5wm4-3g79"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/b4bc65a007784b2eb0efb459e5fa6fd8055d3ec9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/b4bc65a007784b2eb0efb459e5fa6fd8055d3ec9"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-7w99-5wm4-3g79",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth OAuth Provider: Race Condition in Authorization Code Exchange Enables Multi-Use Code Redemption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53518",
        "datePublished": "2026-07-15T17:17:06.410Z",
        "dateReserved": "2026-06-09T17:30:33.456Z",
        "dateUpdated": "2026-07-15T18:07:49.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53517 (GCVE-0-2026-53517)

    Vulnerability from nvd – Published: 2026-07-15 17:33 – Updated: 2026-07-15 19:21
    VLAI
    Title
    Better Auth OAuth Provider: Refresh Token Rotation Race Condition Allows Concurrent Replay and Token Family Forking
    Summary
    Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refresh_token grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing concurrent requests with the same parent refresh token to pass the revoked check and create forked refresh-token families; the vulnerable range also includes embedded better-auth plugin versions before 1.6.0. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 1.4.8-beta.7, < 1.6.0
    Create a notification for this product.
    @better-auth oauth-provider Affected: >= 1.6.0, < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53517",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T19:20:42.640935Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T19:21:22.553Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.4.8-beta.7, \u003c 1.6.0"
                }
              ]
            },
            {
              "product": "oauth-provider",
              "vendor": "@better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refresh_token grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing concurrent requests with the same parent refresh token to pass the revoked check and create forked refresh-token families; the vulnerable range also includes embedded better-auth plugin versions before 1.6.0. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:33:38.943Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-392p-2q2v-4372",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-392p-2q2v-4372"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/c6918ecc9e3a75892169415d7f6c95b591b6a52d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/c6918ecc9e3a75892169415d7f6c95b591b6a52d"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-392p-2q2v-4372",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth OAuth Provider: Refresh Token Rotation Race Condition Allows Concurrent Replay and Token Family Forking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53517",
        "datePublished": "2026-07-15T17:33:38.943Z",
        "dateReserved": "2026-06-09T17:30:33.456Z",
        "dateUpdated": "2026-07-15T19:21:22.553Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53516 (GCVE-0-2026-53516)

    Vulnerability from nvd – Published: 2026-07-15 17:13 – Updated: 2026-07-15 17:52
    VLAI
    Title
    Better Auth: Account takeover via OAuth auto-link to unverified pre-registered email
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, Better Auth's OAuth callback auto-link gate in handleOAuthUserInfo accepts implicit account linking when the OAuth provider asserts email_verified: true without requiring the local user row's emailVerified field to also be true, allowing an attacker who pre-registers a victim email through /sign-up/email to bind the victim's OAuth identity to the attacker's account. The same primitive affects one-tap, and emailAndPassword.requireEmailVerification: true does not mitigate the link-time verification change. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53516",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T17:51:30.733244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T17:52:35.572Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, Better Auth\u0027s OAuth callback auto-link gate in handleOAuthUserInfo accepts implicit account linking when the OAuth provider asserts email_verified: true without requiring the local user row\u0027s emailVerified field to also be true, allowing an attacker who pre-registers a victim email through /sign-up/email to bind the victim\u0027s OAuth identity to the attacker\u0027s account. The same primitive affects one-tap, and emailAndPassword.requireEmailVerification: true does not mitigate the link-time verification change. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:13:16.431Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-g38m-r43w-p2q7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-g38m-r43w-p2q7"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9578",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9578"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/da7e50beee849c59a2ed1ec6b3a38cc6ab9fb563",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/da7e50beee849c59a2ed1ec6b3a38cc6ab9fb563"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-g38m-r43w-p2q7",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Account takeover via OAuth auto-link to unverified pre-registered email"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53516",
        "datePublished": "2026-07-15T17:13:16.431Z",
        "dateReserved": "2026-06-09T17:30:33.456Z",
        "dateUpdated": "2026-07-15T17:52:35.572Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53515 (GCVE-0-2026-53515)

    Vulnerability from nvd – Published: 2026-07-15 17:27 – Updated: 2026-07-15 19:30
    VLAI
    Title
    Better Auth: Privilege escalation via SSO provider registration: missing admin role check in @better-auth/sso
    Summary
    Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin's POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row and does not require an owner or admin role, allowing attacker-controlled OIDC or SAML providers to drive /sso/callback/{providerId} organization provisioning. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    • CWE-285 - Improper Authorization
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 1.2.10, < 1.6.11
    Create a notification for this product.
    @better-auth sso Affected: >= 1.2.10, < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53515",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T19:29:56.598355Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T19:30:08.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.2.10, \u003c 1.6.11"
                }
              ]
            },
            {
              "product": "sso",
              "vendor": "@better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.2.10, \u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin\u0027s POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row and does not require an owner or admin role, allowing attacker-controlled OIDC or SAML providers to drive /sso/callback/{providerId} organization provisioning. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:27:00.291Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-gv74-j8m3-fg5f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-gv74-j8m3-fg5f"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9220",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9220"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/86765f1597378f5c3deed1b80ca91faac0a6bf00",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/86765f1597378f5c3deed1b80ca91faac0a6bf00"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-gv74-j8m3-fg5f",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Privilege escalation via SSO provider registration: missing admin role check in @better-auth/sso"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53515",
        "datePublished": "2026-07-15T17:27:00.291Z",
        "dateReserved": "2026-06-09T17:30:33.456Z",
        "dateUpdated": "2026-07-15T19:30:08.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53514 (GCVE-0-2026-53514)

    Vulnerability from nvd – Published: 2026-07-15 17:30 – Updated: 2026-07-15 17:30
    VLAI
    Title
    Better Auth: Unauthorized invitation acceptance via unverified email match in organization plugin
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin's acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations recipient endpoints use session.user.email and an invitation ID without sufficient verified-email ownership proof, allowing a user with an unverified session for the invited email address to accept an organization invitation after obtaining the invitation ID. This issue is fixed for the original default behavior in version 1.6.11, while 1.6.14 restored compatibility for built-in opaque invitation IDs and leaves affected configurations requiring secure options.
    CWE
    • CWE-287 - Improper Authentication
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    • CWE-862 - Missing Authorization
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin\u0027s acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations recipient endpoints use session.user.email and an invitation ID without sufficient verified-email ownership proof, allowing a user with an unverified session for the invited email address to accept an organization invitation after obtaining the invitation ID. This issue is fixed for the original default behavior in version 1.6.11, while 1.6.14 restored compatibility for built-in opaque invitation IDs and leaves affected configurations requiring secure options."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:30:46.069Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-fmh4-wcc4-5jm3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-fmh4-wcc4-5jm3"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9577",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9577"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/23094a628f007f801be6d26e5b15dc5fc6fc4eb8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/23094a628f007f801be6d26e5b15dc5fc6fc4eb8"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-fmh4-wcc4-5jm3",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Unauthorized invitation acceptance via unverified email match in organization plugin"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53514",
        "datePublished": "2026-07-15T17:30:46.069Z",
        "dateReserved": "2026-06-09T17:30:33.456Z",
        "dateUpdated": "2026-07-15T17:30:46.069Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53513 (GCVE-0-2026-53513)

    Vulnerability from nvd – Published: 2026-07-15 17:15 – Updated: 2026-07-15 19:29
    VLAI
    Title
    Better Auth: Server-side request forgery via unvalidated OIDC endpoints on @better-auth/sso provider registration
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin's POST /sso/register and POST /sso/update-provider endpoints accept attacker-controlled oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint URLs when skipDiscovery: true is set, store them on the ssoProvider row without origin validation, and fetch them during OIDC callback, allowing non-blind server-side request forgery and possible account linking when trustEmailVerified: true is configured. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 0.1.0, < 1.6.11
    Create a notification for this product.
    @better-auth sso Affected: >= 0.1.0, < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53513",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T19:28:52.542592Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T19:29:02.266Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.1.0, \u003c 1.6.11"
                }
              ]
            },
            {
              "product": "sso",
              "vendor": "@better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.1.0, \u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin\u0027s POST /sso/register and POST /sso/update-provider endpoints accept attacker-controlled oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint URLs when skipDiscovery: true is set, store them on the ssoProvider row without origin validation, and fetch them during OIDC callback, allowing non-blind server-side request forgery and possible account linking when trustEmailVerified: true is configured. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:15:59.611Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-5rr4-8452-hf4v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-5rr4-8452-hf4v"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9574",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9574"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/37f60cb176cb53147da7dfd5ec15afa5b486e81e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/37f60cb176cb53147da7dfd5ec15afa5b486e81e"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-5rr4-8452-hf4v",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Server-side request forgery via unvalidated OIDC endpoints on @better-auth/sso provider registration"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53513",
        "datePublished": "2026-07-15T17:15:59.611Z",
        "dateReserved": "2026-06-09T17:30:33.455Z",
        "dateUpdated": "2026-07-15T19:29:02.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53512 (GCVE-0-2026-53512)

    Vulnerability from nvd – Published: 2026-07-15 17:18 – Updated: 2026-07-15 17:18
    VLAI
    Title
    Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11.
    CWE
    • CWE-287 - Improper Authentication
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client\u0027s client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:18:09.512Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-pw9m-5jxm-xr6h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-pw9m-5jxm-xr6h"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9576",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9576"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/1f2ff4215c4affff0b140b0c0a712c0dde35659c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/1f2ff4215c4affff0b140b0c0a712c0dde35659c"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-pw9m-5jxm-xr6h",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53512",
        "datePublished": "2026-07-15T17:18:09.512Z",
        "dateReserved": "2026-06-09T17:30:33.455Z",
        "dateUpdated": "2026-07-15T17:18:09.512Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45337 (GCVE-0-2026-45337)

    Vulnerability from nvd – Published: 2026-07-15 17:31 – Updated: 2026-07-15 18:02
    VLAI
    Title
    Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending
    Summary
    Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny short-circuit when userId is unset, allowing an authenticated attacker who learns a valid user_code to bind the polling device to the attacker's account or deny the legitimate flow. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 1.6.0, < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45337",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T18:02:43.206553Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T18:02:58.506Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny short-circuit when userId is unset, allowing an authenticated attacker who learns a valid user_code to bind the polling device to the attacker\u0027s account or deny the legitimate flow. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:31:44.983Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-cq3f-vc6p-68fh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-cq3f-vc6p-68fh"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9573",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9573"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/99a254a79b59d5a3f5ca2123260118cddb5beed7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/99a254a79b59d5a3f5ca2123260118cddb5beed7"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-cq3f-vc6p-68fh",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45337",
        "datePublished": "2026-07-15T17:31:44.983Z",
        "dateReserved": "2026-05-11T21:40:08.176Z",
        "dateUpdated": "2026-07-15T18:02:58.506Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15527 (GCVE-0-2026-15527)

    Vulnerability from nvd – Published: 2026-07-13 03:00 – Updated: 2026-07-13 19:26
    VLAI
    Title
    better-auth better-icons scan_project_icons/sync_icon path traversal
    Summary
    A vulnerability has been found in better-auth better-icons up to 1.0.5. This vulnerability affects unknown code of the component scan_project_icons/sync_icon. Such manipulation of the argument icons_file leads to path traversal. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    better-auth better-icons Affected: 1.0.0
    Affected: 1.0.1
    Affected: 1.0.2
    Affected: 1.0.3
    Affected: 1.0.4
    Affected: 1.0.5
        cpe:2.3:a:better-auth:better-icons:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Mcfly_Zhang (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15527",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T19:24:54.395119Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T19:26:34.337Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:better-auth:better-icons:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "scan_project_icons/sync_icon"
              ],
              "product": "better-icons",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                },
                {
                  "status": "affected",
                  "version": "1.0.1"
                },
                {
                  "status": "affected",
                  "version": "1.0.2"
                },
                {
                  "status": "affected",
                  "version": "1.0.3"
                },
                {
                  "status": "affected",
                  "version": "1.0.4"
                },
                {
                  "status": "affected",
                  "version": "1.0.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Mcfly_Zhang (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been found in better-auth better-icons up to 1.0.5. This vulnerability affects unknown code of the component scan_project_icons/sync_icon. Such manipulation of the argument icons_file leads to path traversal. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T03:00:08.811Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377865 | better-auth better-icons scan_project_icons/sync_icon path traversal",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377865"
            },
            {
              "name": "VDB-377865 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377865/cti"
            },
            {
              "name": "CVE-2026-15527 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15527"
            },
            {
              "name": "Submit #854530 | better-auth better-icons 1.0.5 Code Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/854530"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/better-auth/better-icons/issues/18"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/better-auth/better-icons/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T14:56:41.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "better-auth better-icons scan_project_icons/sync_icon path traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15527",
        "datePublished": "2026-07-13T03:00:08.811Z",
        "dateReserved": "2026-07-12T12:51:37.994Z",
        "dateUpdated": "2026-07-13T19:26:34.337Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45364 (GCVE-0-2026-45364)

    Vulnerability from nvd – Published: 2026-05-28 21:34 – Updated: 2026-05-29 19:05
    VLAI
    Title
    Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.4.17
    Affected: >= 1.5.0-beta.1, < 1.5.0-beta.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45364",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:05:14.121201Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:05:38.845Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.4.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.5.0-beta.1, \u003c 1.5.0-beta.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth\u0027s HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T21:34:51.446Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-p6v2-xcpg-h6xw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-p6v2-xcpg-h6xw"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/7470",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/7470"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/7509",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/7509"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/43e719bcc0c223c7079fa0c611a9cf7ea1188254",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/43e719bcc0c223c7079fa0c611a9cf7ea1188254"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/57af0f7b910dcf7b1a5c0615d10b9bd56bb69bef",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/57af0f7b910dcf7b1a5c0615d10b9bd56bb69bef"
            }
          ],
          "source": {
            "advisory": "GHSA-p6v2-xcpg-h6xw",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45364",
        "datePublished": "2026-05-28T21:34:51.446Z",
        "dateReserved": "2026-05-12T00:51:29.085Z",
        "dateUpdated": "2026-05-29T19:05:38.845Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41427 (GCVE-0-2026-41427)

    Vulnerability from nvd – Published: 2026-04-24 19:23 – Updated: 2026-04-27 13:42
    VLAI
    Title
    Better Auth OAuth 2.1 Provider: Unprivileged users can register OAuth clients
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted — any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 1.4.8-beta.7, < 1.6.5
    Affected: >= 1.7.0-beta.0, <= 1.7.0-beta.1
    Create a notification for this product.
    better-auth oauth-provider Affected: >= 1.4.8-beta.7, < 1.6.5
    Affected: >= 1.7.0-beta.0, <= 1.7.0-beta.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41427",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-27T13:42:15.023332Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T13:42:23.885Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.4.8-beta.7, \u003c 1.6.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.7.0-beta.0, \u003c= 1.7.0-beta.1"
                }
              ]
            },
            {
              "product": "oauth-provider",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.4.8-beta.7, \u003c 1.6.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.7.0-beta.0, \u003c= 1.7.0-beta.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted \u2014 any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T19:23:20.161Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6"
            }
          ],
          "source": {
            "advisory": "GHSA-xr8f-h2gw-9xh6",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth OAuth 2.1 Provider: Unprivileged users can register OAuth clients"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41427",
        "datePublished": "2026-04-24T19:23:20.161Z",
        "dateReserved": "2026-04-20T15:32:33.814Z",
        "dateUpdated": "2026-04-27T13:42:23.885Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-61928 (GCVE-0-2025-61928)

    Vulnerability from nvd – Published: 2025-10-09 21:24 – Updated: 2025-10-10 14:23
    VLAI
    Title
    Better Auth: Unauthenticated API key creation through api-key plugin
    Summary
    Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.3.26
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61928",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-10T14:23:17.755463Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-10T14:23:23.158Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.3.26"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user\u0027s id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim\u0027s privileges. Version 1.3.26 contains a patch for the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-09T21:24:37.541Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39"
            }
          ],
          "source": {
            "advisory": "GHSA-99h5-pjcv-gr6v",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Unauthenticated API key creation through api-key plugin"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-61928",
        "datePublished": "2025-10-09T21:24:37.541Z",
        "dateReserved": "2025-10-03T22:21:59.616Z",
        "dateUpdated": "2025-10-10T14:23:23.158Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53535 (GCVE-0-2025-53535)

    Vulnerability from nvd – Published: 2025-07-07 17:15 – Updated: 2025-07-07 17:48
    VLAI
    Title
    Better Auth has an Open Redirect Vulnerability in originCheck Middleware Affecting Multiple Routes
    Summary
    Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.2.10
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53535",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-07T17:48:21.559840Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-07T17:48:36.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.10"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-07T17:15:52.027Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56"
            }
          ],
          "source": {
            "advisory": "GHSA-36rg-gfq2-3h56",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth has an Open Redirect Vulnerability in originCheck Middleware Affecting Multiple Routes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-53535",
        "datePublished": "2025-07-07T17:15:52.027Z",
        "dateReserved": "2025-07-02T15:15:11.515Z",
        "dateUpdated": "2025-07-07T17:48:36.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27143 (GCVE-0-2025-27143)

    Vulnerability from nvd – Published: 2025-02-24 22:16 – Updated: 2025-02-25 14:29
    VLAI
    Title
    Beter Auth has an Open Redirect via Scheme-Less Callback Parameter
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs, it incorrectly allows scheme-less URLs. This results in the browser interpreting the URL as a fully qualified URL, leading to unintended redirection. An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker's website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens. This CVE is a bypass of the fix for GHSA-8jhw-6pjj-8723/CVE-2024-56734. Version 1.1.21 contains an updated patch.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.1.20
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27143",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T14:28:45.798053Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T14:29:03.293Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.1.20"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs, it incorrectly allows scheme-less URLs. This results in the browser interpreting the URL as a fully qualified URL, leading to unintended redirection. An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker\u0027s website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens. This CVE is a bypass of the fix for GHSA-8jhw-6pjj-8723/CVE-2024-56734. Version 1.1.21 contains an updated patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-24T22:16:55.224Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8"
            },
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.1.21",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.1.21"
            }
          ],
          "source": {
            "advisory": "GHSA-hjpm-7mrm-26w8",
            "discovery": "UNKNOWN"
          },
          "title": "Beter Auth has an Open Redirect via Scheme-Less Callback Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-27143",
        "datePublished": "2025-02-24T22:16:55.224Z",
        "dateReserved": "2025-02-19T16:30:47.777Z",
        "dateUpdated": "2025-02-25T14:29:03.293Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-56734 (GCVE-0-2024-56734)

    Vulnerability from nvd – Published: 2024-12-30 16:48 – Updated: 2024-12-30 17:36
    VLAI
    Title
    Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint
    Summary
    Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.1.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-56734",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-30T17:36:35.899354Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-30T17:36:51.332Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.1.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.9,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-30T16:48:58.184Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/deb3d73aea90d0468d92723f4511542b593e522f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/deb3d73aea90d0468d92723f4511542b593e522f"
            }
          ],
          "source": {
            "advisory": "GHSA-8jhw-6pjj-8723",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-56734",
        "datePublished": "2024-12-30T16:48:58.184Z",
        "dateReserved": "2024-12-27T19:35:59.211Z",
        "dateUpdated": "2024-12-30T17:36:51.332Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-53517 (GCVE-0-2026-53517)

    Vulnerability from cvelistv5 – Published: 2026-07-15 17:33 – Updated: 2026-07-15 19:21
    VLAI
    Title
    Better Auth OAuth Provider: Refresh Token Rotation Race Condition Allows Concurrent Replay and Token Family Forking
    Summary
    Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refresh_token grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing concurrent requests with the same parent refresh token to pass the revoked check and create forked refresh-token families; the vulnerable range also includes embedded better-auth plugin versions before 1.6.0. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 1.4.8-beta.7, < 1.6.0
    Create a notification for this product.
    @better-auth oauth-provider Affected: >= 1.6.0, < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53517",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T19:20:42.640935Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T19:21:22.553Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.4.8-beta.7, \u003c 1.6.0"
                }
              ]
            },
            {
              "product": "oauth-provider",
              "vendor": "@better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refresh_token grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing concurrent requests with the same parent refresh token to pass the revoked check and create forked refresh-token families; the vulnerable range also includes embedded better-auth plugin versions before 1.6.0. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:33:38.943Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-392p-2q2v-4372",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-392p-2q2v-4372"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/c6918ecc9e3a75892169415d7f6c95b591b6a52d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/c6918ecc9e3a75892169415d7f6c95b591b6a52d"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-392p-2q2v-4372",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth OAuth Provider: Refresh Token Rotation Race Condition Allows Concurrent Replay and Token Family Forking"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53517",
        "datePublished": "2026-07-15T17:33:38.943Z",
        "dateReserved": "2026-06-09T17:30:33.456Z",
        "dateUpdated": "2026-07-15T19:21:22.553Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45337 (GCVE-0-2026-45337)

    Vulnerability from cvelistv5 – Published: 2026-07-15 17:31 – Updated: 2026-07-15 18:02
    VLAI
    Title
    Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending
    Summary
    Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny short-circuit when userId is unset, allowing an authenticated attacker who learns a valid user_code to bind the polling device to the attacker's account or deny the legitimate flow. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 1.6.0, < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45337",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T18:02:43.206553Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T18:02:58.506Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny short-circuit when userId is unset, allowing an authenticated attacker who learns a valid user_code to bind the polling device to the attacker\u0027s account or deny the legitimate flow. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:31:44.983Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-cq3f-vc6p-68fh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-cq3f-vc6p-68fh"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9573",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9573"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/99a254a79b59d5a3f5ca2123260118cddb5beed7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/99a254a79b59d5a3f5ca2123260118cddb5beed7"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-cq3f-vc6p-68fh",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45337",
        "datePublished": "2026-07-15T17:31:44.983Z",
        "dateReserved": "2026-05-11T21:40:08.176Z",
        "dateUpdated": "2026-07-15T18:02:58.506Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53514 (GCVE-0-2026-53514)

    Vulnerability from cvelistv5 – Published: 2026-07-15 17:30 – Updated: 2026-07-15 17:30
    VLAI
    Title
    Better Auth: Unauthorized invitation acceptance via unverified email match in organization plugin
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin's acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations recipient endpoints use session.user.email and an invitation ID without sufficient verified-email ownership proof, allowing a user with an unverified session for the invited email address to accept an organization invitation after obtaining the invitation ID. This issue is fixed for the original default behavior in version 1.6.11, while 1.6.14 restored compatibility for built-in opaque invitation IDs and leaves affected configurations requiring secure options.
    CWE
    • CWE-287 - Improper Authentication
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    • CWE-862 - Missing Authorization
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin\u0027s acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations recipient endpoints use session.user.email and an invitation ID without sufficient verified-email ownership proof, allowing a user with an unverified session for the invited email address to accept an organization invitation after obtaining the invitation ID. This issue is fixed for the original default behavior in version 1.6.11, while 1.6.14 restored compatibility for built-in opaque invitation IDs and leaves affected configurations requiring secure options."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:30:46.069Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-fmh4-wcc4-5jm3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-fmh4-wcc4-5jm3"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9577",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9577"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/23094a628f007f801be6d26e5b15dc5fc6fc4eb8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/23094a628f007f801be6d26e5b15dc5fc6fc4eb8"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-fmh4-wcc4-5jm3",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Unauthorized invitation acceptance via unverified email match in organization plugin"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53514",
        "datePublished": "2026-07-15T17:30:46.069Z",
        "dateReserved": "2026-06-09T17:30:33.456Z",
        "dateUpdated": "2026-07-15T17:30:46.069Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53515 (GCVE-0-2026-53515)

    Vulnerability from cvelistv5 – Published: 2026-07-15 17:27 – Updated: 2026-07-15 19:30
    VLAI
    Title
    Better Auth: Privilege escalation via SSO provider registration: missing admin role check in @better-auth/sso
    Summary
    Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin's POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row and does not require an owner or admin role, allowing attacker-controlled OIDC or SAML providers to drive /sso/callback/{providerId} organization provisioning. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    • CWE-285 - Improper Authorization
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 1.2.10, < 1.6.11
    Create a notification for this product.
    @better-auth sso Affected: >= 1.2.10, < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53515",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T19:29:56.598355Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T19:30:08.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.2.10, \u003c 1.6.11"
                }
              ]
            },
            {
              "product": "sso",
              "vendor": "@better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.2.10, \u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin\u0027s POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row and does not require an owner or admin role, allowing attacker-controlled OIDC or SAML providers to drive /sso/callback/{providerId} organization provisioning. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:27:00.291Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-gv74-j8m3-fg5f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-gv74-j8m3-fg5f"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9220",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9220"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/86765f1597378f5c3deed1b80ca91faac0a6bf00",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/86765f1597378f5c3deed1b80ca91faac0a6bf00"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-gv74-j8m3-fg5f",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Privilege escalation via SSO provider registration: missing admin role check in @better-auth/sso"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53515",
        "datePublished": "2026-07-15T17:27:00.291Z",
        "dateReserved": "2026-06-09T17:30:33.456Z",
        "dateUpdated": "2026-07-15T19:30:08.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53512 (GCVE-0-2026-53512)

    Vulnerability from cvelistv5 – Published: 2026-07-15 17:18 – Updated: 2026-07-15 17:18
    VLAI
    Title
    Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client's client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11.
    CWE
    • CWE-287 - Improper Authentication
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the legacy oidcProvider and mcp plugins expose OAuth token endpoints whose refresh_token grant authenticates only possession of the bound refreshToken row and matching client_id, without verifying the confidential client\u0027s client_secret, allowing an attacker with a valid refresh_token to mint access tokens and rotated refresh tokens through /api/auth/oauth2/token or /api/auth/mcp/token. The @better-auth/oauth-provider package is not affected. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:18:09.512Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-pw9m-5jxm-xr6h",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-pw9m-5jxm-xr6h"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9576",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9576"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/1f2ff4215c4affff0b140b0c0a712c0dde35659c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/1f2ff4215c4affff0b140b0c0a712c0dde35659c"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-pw9m-5jxm-xr6h",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53512",
        "datePublished": "2026-07-15T17:18:09.512Z",
        "dateReserved": "2026-06-09T17:30:33.455Z",
        "dateUpdated": "2026-07-15T17:18:09.512Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53518 (GCVE-0-2026-53518)

    Vulnerability from cvelistv5 – Published: 2026-07-15 17:17 – Updated: 2026-07-15 18:07
    VLAI
    Title
    Better Auth OAuth Provider: Race Condition in Authorization Code Exchange Enables Multi-Use Code Redemption
    Summary
    Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for the authorization_code grant redeems a single-use authorization code through a non-atomic find-then-delete sequence, allowing two concurrent requests to pass the read step and mint independent access tokens, refresh tokens, and ID tokens; legacy /oauth2/token and /mcp/token paths in oidc-provider and mcp plugins share the same primitive. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 1.6.0, < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53518",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T18:07:40.302581Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T18:07:49.190Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.6.0, \u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for the authorization_code grant redeems a single-use authorization code through a non-atomic find-then-delete sequence, allowing two concurrent requests to pass the read step and mint independent access tokens, refresh tokens, and ID tokens; legacy /oauth2/token and /mcp/token paths in oidc-provider and mcp plugins share the same primitive. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:17:06.410Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-7w99-5wm4-3g79",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-7w99-5wm4-3g79"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/b4bc65a007784b2eb0efb459e5fa6fd8055d3ec9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/b4bc65a007784b2eb0efb459e5fa6fd8055d3ec9"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-7w99-5wm4-3g79",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth OAuth Provider: Race Condition in Authorization Code Exchange Enables Multi-Use Code Redemption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53518",
        "datePublished": "2026-07-15T17:17:06.410Z",
        "dateReserved": "2026-06-09T17:30:33.456Z",
        "dateUpdated": "2026-07-15T18:07:49.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53513 (GCVE-0-2026-53513)

    Vulnerability from cvelistv5 – Published: 2026-07-15 17:15 – Updated: 2026-07-15 19:29
    VLAI
    Title
    Better Auth: Server-side request forgery via unvalidated OIDC endpoints on @better-auth/sso provider registration
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin's POST /sso/register and POST /sso/update-provider endpoints accept attacker-controlled oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint URLs when skipDiscovery: true is set, store them on the ssoProvider row without origin validation, and fetch them during OIDC callback, allowing non-blind server-side request forgery and possible account linking when trustEmailVerified: true is configured. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-345 - Insufficient Verification of Data Authenticity
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 0.1.0, < 1.6.11
    Create a notification for this product.
    @better-auth sso Affected: >= 0.1.0, < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53513",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T19:28:52.542592Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T19:29:02.266Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.1.0, \u003c 1.6.11"
                }
              ]
            },
            {
              "product": "sso",
              "vendor": "@better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.1.0, \u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin\u0027s POST /sso/register and POST /sso/update-provider endpoints accept attacker-controlled oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint URLs when skipDiscovery: true is set, store them on the ssoProvider row without origin validation, and fetch them during OIDC callback, allowing non-blind server-side request forgery and possible account linking when trustEmailVerified: true is configured. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:15:59.611Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-5rr4-8452-hf4v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-5rr4-8452-hf4v"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9574",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9574"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/37f60cb176cb53147da7dfd5ec15afa5b486e81e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/37f60cb176cb53147da7dfd5ec15afa5b486e81e"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-5rr4-8452-hf4v",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Server-side request forgery via unvalidated OIDC endpoints on @better-auth/sso provider registration"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53513",
        "datePublished": "2026-07-15T17:15:59.611Z",
        "dateReserved": "2026-06-09T17:30:33.455Z",
        "dateUpdated": "2026-07-15T19:29:02.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53516 (GCVE-0-2026-53516)

    Vulnerability from cvelistv5 – Published: 2026-07-15 17:13 – Updated: 2026-07-15 17:52
    VLAI
    Title
    Better Auth: Account takeover via OAuth auto-link to unverified pre-registered email
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, Better Auth's OAuth callback auto-link gate in handleOAuthUserInfo accepts implicit account linking when the OAuth provider asserts email_verified: true without requiring the local user row's emailVerified field to also be true, allowing an attacker who pre-registers a victim email through /sign-up/email to bind the victim's OAuth identity to the attacker's account. The same primitive affects one-tap, and emailAndPassword.requireEmailVerification: true does not mitigate the link-time verification change. This issue is fixed in version 1.6.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.6.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-53516",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T17:51:30.733244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T17:52:35.572Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.6.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, Better Auth\u0027s OAuth callback auto-link gate in handleOAuthUserInfo accepts implicit account linking when the OAuth provider asserts email_verified: true without requiring the local user row\u0027s emailVerified field to also be true, allowing an attacker who pre-registers a victim email through /sign-up/email to bind the victim\u0027s OAuth identity to the attacker\u0027s account. The same primitive affects one-tap, and emailAndPassword.requireEmailVerification: true does not mitigate the link-time verification change. This issue is fixed in version 1.6.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T17:13:16.431Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-g38m-r43w-p2q7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-g38m-r43w-p2q7"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/9578",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/9578"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/da7e50beee849c59a2ed1ec6b3a38cc6ab9fb563",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/da7e50beee849c59a2ed1ec6b3a38cc6ab9fb563"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
            }
          ],
          "source": {
            "advisory": "GHSA-g38m-r43w-p2q7",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Account takeover via OAuth auto-link to unverified pre-registered email"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53516",
        "datePublished": "2026-07-15T17:13:16.431Z",
        "dateReserved": "2026-06-09T17:30:33.456Z",
        "dateUpdated": "2026-07-15T17:52:35.572Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15527 (GCVE-0-2026-15527)

    Vulnerability from cvelistv5 – Published: 2026-07-13 03:00 – Updated: 2026-07-13 19:26
    VLAI
    Title
    better-auth better-icons scan_project_icons/sync_icon path traversal
    Summary
    A vulnerability has been found in better-auth better-icons up to 1.0.5. This vulnerability affects unknown code of the component scan_project_icons/sync_icon. Such manipulation of the argument icons_file leads to path traversal. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    better-auth better-icons Affected: 1.0.0
    Affected: 1.0.1
    Affected: 1.0.2
    Affected: 1.0.3
    Affected: 1.0.4
    Affected: 1.0.5
        cpe:2.3:a:better-auth:better-icons:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Mcfly_Zhang (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15527",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T19:24:54.395119Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T19:26:34.337Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:better-auth:better-icons:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "scan_project_icons/sync_icon"
              ],
              "product": "better-icons",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                },
                {
                  "status": "affected",
                  "version": "1.0.1"
                },
                {
                  "status": "affected",
                  "version": "1.0.2"
                },
                {
                  "status": "affected",
                  "version": "1.0.3"
                },
                {
                  "status": "affected",
                  "version": "1.0.4"
                },
                {
                  "status": "affected",
                  "version": "1.0.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Mcfly_Zhang (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been found in better-auth better-icons up to 1.0.5. This vulnerability affects unknown code of the component scan_project_icons/sync_icon. Such manipulation of the argument icons_file leads to path traversal. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T03:00:08.811Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377865 | better-auth better-icons scan_project_icons/sync_icon path traversal",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377865"
            },
            {
              "name": "VDB-377865 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377865/cti"
            },
            {
              "name": "CVE-2026-15527 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15527"
            },
            {
              "name": "Submit #854530 | better-auth better-icons 1.0.5 Code Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/854530"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/better-auth/better-icons/issues/18"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/better-auth/better-icons/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T14:56:41.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "better-auth better-icons scan_project_icons/sync_icon path traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15527",
        "datePublished": "2026-07-13T03:00:08.811Z",
        "dateReserved": "2026-07-12T12:51:37.994Z",
        "dateUpdated": "2026-07-13T19:26:34.337Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45364 (GCVE-0-2026-45364)

    Vulnerability from cvelistv5 – Published: 2026-05-28 21:34 – Updated: 2026-05-29 19:05
    VLAI
    Title
    Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.4.17
    Affected: >= 1.5.0-beta.1, < 1.5.0-beta.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45364",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:05:14.121201Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:05:38.845Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.4.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.5.0-beta.1, \u003c 1.5.0-beta.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth\u0027s HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T21:34:51.446Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-p6v2-xcpg-h6xw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-p6v2-xcpg-h6xw"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/7470",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/7470"
            },
            {
              "name": "https://github.com/better-auth/better-auth/pull/7509",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/pull/7509"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/43e719bcc0c223c7079fa0c611a9cf7ea1188254",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/43e719bcc0c223c7079fa0c611a9cf7ea1188254"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/57af0f7b910dcf7b1a5c0615d10b9bd56bb69bef",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/57af0f7b910dcf7b1a5c0615d10b9bd56bb69bef"
            }
          ],
          "source": {
            "advisory": "GHSA-p6v2-xcpg-h6xw",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45364",
        "datePublished": "2026-05-28T21:34:51.446Z",
        "dateReserved": "2026-05-12T00:51:29.085Z",
        "dateUpdated": "2026-05-29T19:05:38.845Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41427 (GCVE-0-2026-41427)

    Vulnerability from cvelistv5 – Published: 2026-04-24 19:23 – Updated: 2026-04-27 13:42
    VLAI
    Title
    Better Auth OAuth 2.1 Provider: Unprivileged users can register OAuth clients
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted — any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: >= 1.4.8-beta.7, < 1.6.5
    Affected: >= 1.7.0-beta.0, <= 1.7.0-beta.1
    Create a notification for this product.
    better-auth oauth-provider Affected: >= 1.4.8-beta.7, < 1.6.5
    Affected: >= 1.7.0-beta.0, <= 1.7.0-beta.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41427",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-27T13:42:15.023332Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T13:42:23.885Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.4.8-beta.7, \u003c 1.6.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.7.0-beta.0, \u003c= 1.7.0-beta.1"
                }
              ]
            },
            {
              "product": "oauth-provider",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.4.8-beta.7, \u003c 1.6.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.7.0-beta.0, \u003c= 1.7.0-beta.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted \u2014 any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T19:23:20.161Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6"
            }
          ],
          "source": {
            "advisory": "GHSA-xr8f-h2gw-9xh6",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth OAuth 2.1 Provider: Unprivileged users can register OAuth clients"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41427",
        "datePublished": "2026-04-24T19:23:20.161Z",
        "dateReserved": "2026-04-20T15:32:33.814Z",
        "dateUpdated": "2026-04-27T13:42:23.885Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-61928 (GCVE-0-2025-61928)

    Vulnerability from cvelistv5 – Published: 2025-10-09 21:24 – Updated: 2025-10-10 14:23
    VLAI
    Title
    Better Auth: Unauthenticated API key creation through api-key plugin
    Summary
    Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.3.26
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61928",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-10T14:23:17.755463Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-10T14:23:23.158Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.3.26"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user\u0027s id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim\u0027s privileges. Version 1.3.26 contains a patch for the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-09T21:24:37.541Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39"
            }
          ],
          "source": {
            "advisory": "GHSA-99h5-pjcv-gr6v",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth: Unauthenticated API key creation through api-key plugin"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-61928",
        "datePublished": "2025-10-09T21:24:37.541Z",
        "dateReserved": "2025-10-03T22:21:59.616Z",
        "dateUpdated": "2025-10-10T14:23:23.158Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-53535 (GCVE-0-2025-53535)

    Vulnerability from cvelistv5 – Published: 2025-07-07 17:15 – Updated: 2025-07-07 17:48
    VLAI
    Title
    Better Auth has an Open Redirect Vulnerability in originCheck Middleware Affecting Multiple Routes
    Summary
    Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.2.10
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53535",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-07T17:48:21.559840Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-07T17:48:36.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.10"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-07T17:15:52.027Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56"
            }
          ],
          "source": {
            "advisory": "GHSA-36rg-gfq2-3h56",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth has an Open Redirect Vulnerability in originCheck Middleware Affecting Multiple Routes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-53535",
        "datePublished": "2025-07-07T17:15:52.027Z",
        "dateReserved": "2025-07-02T15:15:11.515Z",
        "dateUpdated": "2025-07-07T17:48:36.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27143 (GCVE-0-2025-27143)

    Vulnerability from cvelistv5 – Published: 2025-02-24 22:16 – Updated: 2025-02-25 14:29
    VLAI
    Title
    Beter Auth has an Open Redirect via Scheme-Less Callback Parameter
    Summary
    Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs, it incorrectly allows scheme-less URLs. This results in the browser interpreting the URL as a fully qualified URL, leading to unintended redirection. An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker's website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens. This CVE is a bypass of the fix for GHSA-8jhw-6pjj-8723/CVE-2024-56734. Version 1.1.21 contains an updated patch.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.1.20
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27143",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T14:28:45.798053Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T14:29:03.293Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.1.20"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs, it incorrectly allows scheme-less URLs. This results in the browser interpreting the URL as a fully qualified URL, leading to unintended redirection. An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker\u0027s website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens. This CVE is a bypass of the fix for GHSA-8jhw-6pjj-8723/CVE-2024-56734. Version 1.1.21 contains an updated patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-24T22:16:55.224Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8"
            },
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80"
            },
            {
              "name": "https://github.com/better-auth/better-auth/releases/tag/v1.1.21",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/releases/tag/v1.1.21"
            }
          ],
          "source": {
            "advisory": "GHSA-hjpm-7mrm-26w8",
            "discovery": "UNKNOWN"
          },
          "title": "Beter Auth has an Open Redirect via Scheme-Less Callback Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-27143",
        "datePublished": "2025-02-24T22:16:55.224Z",
        "dateReserved": "2025-02-19T16:30:47.777Z",
        "dateUpdated": "2025-02-25T14:29:03.293Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-56734 (GCVE-0-2024-56734)

    Vulnerability from cvelistv5 – Published: 2024-12-30 16:48 – Updated: 2024-12-30 17:36
    VLAI
    Title
    Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint
    Summary
    Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    better-auth better-auth Affected: < 1.1.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-56734",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-30T17:36:35.899354Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-30T17:36:51.332Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "better-auth",
              "vendor": "better-auth",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.1.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.9,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-30T16:48:58.184Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723"
            },
            {
              "name": "https://github.com/better-auth/better-auth/commit/deb3d73aea90d0468d92723f4511542b593e522f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/better-auth/better-auth/commit/deb3d73aea90d0468d92723f4511542b593e522f"
            }
          ],
          "source": {
            "advisory": "GHSA-8jhw-6pjj-8723",
            "discovery": "UNKNOWN"
          },
          "title": "Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-56734",
        "datePublished": "2024-12-30T16:48:58.184Z",
        "dateReserved": "2024-12-27T19:35:59.211Z",
        "dateUpdated": "2024-12-30T17:36:51.332Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }