Skip to main content

Better Auth CVE-2026-53515

| EUVDEUVD-2026-44740 HIGH
Improper Privilege Management (CWE-269)
2026-07-15 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
7.1 HIGH

Network endpoint reachable by any authenticated org member (PR:L), no UI or added complexity; registering a rogue provider is a high-integrity change with limited confidentiality and no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 21:18 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 18:31 vuln.today
Analysis Generated
Jul 15, 2026 - 18:31 vuln.today
CVE Published
Jul 15, 2026 - 17:27 cve.org
HIGH 7.1

DescriptionCVE.org

Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin's POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row and does not require an owner or admin role, allowing attacker-controlled OIDC or SAML providers to drive /sso/callback/{providerId} organization provisioning. This issue is fixed in version 1.6.11.

AnalysisAI

{providerId} to drive organization provisioning, effectively escalating toward organization takeover. No public exploit identified at time of analysis; the flaw is fixed in 1.6.11 which adds the missing role check.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as ordinary org member
Delivery
POST /sso/register with attacker OIDC/SAML config and organizationId
Exploit
Bypass missing role check, provider attached
Execution
Drive /sso/callback/{providerId} provisioning
Impact
Escalate to organization-level access

Vulnerability AssessmentAI

Exploitation Requires that the target deployment runs the @better-auth/sso plugin (versions 1.2.10-1.6.10) together with the Better Auth organization plugin, and that the request to POST /sso/register includes an organizationId. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N, base 7.1) is internally consistent with the description: network-reachable endpoint, low complexity, and low privileges (an existing org member) with no user interaction, yielding high integrity impact and low confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains an ordinary (non-admin) member account in a target organization that uses Better Auth's SSO and organization plugins. They send POST /sso/register with organizationId set and a SAML/OIDC config pointing at their own identity provider; the server accepts it due to the missing role check. …
Remediation Vendor-released patch: upgrade @better-auth/sso to 1.6.11 or later, which requires the caller to hold an organization owner or admin role for POST /sso/register and returns 403 FORBIDDEN to regular members (fix in PR https://github.com/better-auth/better-auth/pull/9220 and commit https://github.com/better-auth/better-auth/commit/86765f1597378f5c3deed1b80ca91faac0a6bf00). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and catalog all systems running the affected product and their current versions; determine which systems control critical organization provisioning or have internet-facing access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53515 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy