Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Network endpoint reachable by any authenticated org member (PR:L), no UI or added complexity; registering a rogue provider is a high-integrity change with limited confidentiality and no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin's POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row and does not require an owner or admin role, allowing attacker-controlled OIDC or SAML providers to drive /sso/callback/{providerId} organization provisioning. This issue is fixed in version 1.6.11.
AnalysisAI
{providerId} to drive organization provisioning, effectively escalating toward organization takeover. No public exploit identified at time of analysis; the flaw is fixed in 1.6.11 which adds the missing role check.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires that the target deployment runs the @better-auth/sso plugin (versions 1.2.10-1.6.10) together with the Better Auth organization plugin, and that the request to POST /sso/register includes an organizationId. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N, base 7.1) is internally consistent with the description: network-reachable endpoint, low complexity, and low privileges (an existing org member) with no user interaction, yielding high integrity impact and low confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains an ordinary (non-admin) member account in a target organization that uses Better Auth's SSO and organization plugins. They send POST /sso/register with organizationId set and a SAML/OIDC config pointing at their own identity provider; the server accepts it due to the missing role check. … |
| Remediation | Vendor-released patch: upgrade @better-auth/sso to 1.6.11 or later, which requires the caller to hold an organization owner or admin role for POST /sso/register and returns 403 FORBIDDEN to regular members (fix in PR https://github.com/better-auth/better-auth/pull/9220 and commit https://github.com/better-auth/better-auth/commit/86765f1597378f5c3deed1b80ca91faac0a6bf00). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and catalog all systems running the affected product and their current versions; determine which systems control critical organization provisioning or have internet-facing access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Better Auth
View allBetter Auth is an authentication library for TypeScript. Rated high severity (CVSS 7.9), this vulnerability is remotely
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option d
Better Auth is an authentication and authorization library for TypeScript. Rated medium severity (CVSS 6.9), this vulner
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44740