Severity by source
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Attacker needs own low-priv session (PR:L), an admin must issue the invitation (UI:R), success hinges on non-default config plus a token leak (AC:H), and crossing into another org's authority is a scope change (S:C) with high C/I and no availability impact.
Primary rating from Vendor (https://github.com/better-auth/better-auth).
CVSS VectorVendor: https://github.com/better-auth/better-auth
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 26 npm packages depend on better-auth (19 direct, 7 indirect)
Ecosystem-wide dependent count for version 1.6.11.
DescriptionCVE.org
Am I affected?
Users are affected if all of the following are true:
- Their application uses
better-authwith theorganizationplugin (import { organization } from "better-auth/plugins/organization"). - Their application enables a sign-up surface that allows arbitrary unverified email registration. Most commonly
emailAndPassword: { enabled: true }withoutrequireEmailVerification: true. - Their application has not set
requireEmailVerificationOnInvitation: trueon theorganization()options. - Their application invitation distribution flow allows anyone other than the invited mailbox owner to obtain the
invitationId. Examples: admin UI surfacing the link, copy-paste into chat, forwarded email, mail-forwarding rules at the recipient's domain, link previews logging the URL, or a customsendInvitationEmailintegration that sends to a non-owner channel.
If their application set emailAndPassword: { enabled: true, requireEmailVerification: true } so unverified rows cannot reach a usable session, they are not affected. Setting requireEmailVerificationOnInvitation: true closes acceptInvitation and rejectInvitation, but getInvitation and listUserInvitations remain ungated even with that flag.
Fix:
- Upgrade to
better-auth@1.6.11or later. - If developers cannot upgrade their application, see workarounds below.
Summary
The organization plugin's acceptInvitation endpoint trusts an email-string equality check as proof that the session user owns the invited address. With Better Auth's stock emailAndPassword: { enabled: true } configuration, requireEmailVerification defaults to false, so an attacker can sign up a row keyed to victim@target.example (auto-signed-in, emailVerified: false) before the legitimate owner. When an organization admin invites that address, the attacker presents the invitationId and accepts the invitation, joining the organization at the invited role.
Details
The recipient gate compares invitation.email.toLowerCase() to session.user.email.toLowerCase() and returns 403 on mismatch. The opt-in requireEmailVerificationOnInvitation flag adds an emailVerified check, but it defaults to false and only fires on acceptInvitation and rejectInvitation; getInvitation and listUserInvitations have no emailVerified gate at all.
The bearer token (invitationId) is by default 32 chars over [a-zA-Z0-9] (~190 bits), so the realistic attack vector is leakage of the invitation link rather than brute force.
The fix shape defaults the emailVerified gate to on and extends it across all four invitation endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations). This is the same trust-primitive class as GHSA-g38m-r43w-p2q7 (OAuth auto-link); both ship the rule "email equality is not ownership proof; both sides must prove ownership".
Patches
Fixed in better-auth@1.6.11. All four invitation recipient endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations) now require the session user's emailVerified to be true in addition to the email-string match. The requireEmailVerificationOnInvitation option default flips from false to true, so applications are secure out of the box.
getInvitation and listUserInvitations use the new EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION error code so the wording matches the operation; acceptInvitation and rejectInvitation keep the existing EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION code. Server-side calls to listUserInvitations that pass ctx.query.email without an authenticated session continue to bypass the gate; the gate is specific to session-authenticated recipient calls.
Integrators who intentionally accept invitations on unverified sessions can preserve the legacy permissive behavior with organization({ requireEmailVerificationOnInvitation: false }). The option is marked @deprecated; the gate at each call site carries a FIXME pointing at the next-minor follow-up that drops the option and makes the check unconditional. Operators that take this opt-out should understand the takeover risk before doing so.
Workarounds
If developers cannot upgrade their applications immediately:
- Set
organization({ requireEmailVerificationOnInvitation: true }). ClosesacceptInvitationandrejectInvitationagainst unverified sessions. Does not closegetInvitationorlistUserInvitations. - Set
emailAndPassword.requireEmailVerification: true(or remove email/password sign-up entirely). Closes the pre-registration step itself. - Layer middleware on the organization invitation routes that asserts
session.user.emailVerified === trueand rejects otherwise.
Impact
- Account takeover via pre-account hijacking on the org invitation surface: the attacker, holding only an unverified self-issued session and the leaked
invitationId, joins the organization as a member at the invited role. - Organization membership reach: the attacker reads invitation contents and any organization-scoped data the joined role can see, and acts as a member of the victim organization.
Credit
Reported by @widavies.
Resources
AnalysisAI
Privilege escalation and account/organization takeover in the better-auth Node/TypeScript library affects applications using the organization plugin with unverified email sign-up enabled (emailAndPassword without requireEmailVerification). Because acceptInvitation treats a plain email-string match as proof of address ownership, an attacker who pre-registers an unverified account keyed to a victim's address and obtains a leaked invitationId can accept an admin's invitation and join the organization at the invited role. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following to hold: (1) the app uses better-auth's organization plugin; (2) sign-up permits arbitrary unverified email registration - most commonly emailAndPassword: { enabled: true } without requireEmailVerification: true, allowing an attacker to create an auto-signed-in emailVerified:false account keyed to the victim's address; (3) the app has NOT set requireEmailVerificationOnInvitation: true on organization() options; and (4) the invitation distribution flow lets someone other than the invited mailbox owner obtain the invitationId (admin UI surfacing the link, copy-paste into chat, forwarded email, recipient-domain mail-forwarding rules, link-preview logging, or a custom sendInvitationEmail sending to a non-owner channel). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate rather than emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a better-auth account for victim@target.example using stock email/password sign-up, receiving an auto-signed-in session with emailVerified: false before the real owner ever signs up. An organization admin later invites victim@target.example, and the invitationId link leaks through a shared admin UI, a forwarded email, a chat copy-paste, or a link-preview log. … |
| Remediation | Vendor-released patch: better-auth 1.6.11 - upgrade to better-auth@1.6.11 or later, which flips the requireEmailVerificationOnInvitation default from false to true and extends the emailVerified gate across all four invitation recipient endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations), making apps secure by default (see https://github.com/better-auth/better-auth/security/advisories/GHSA-fmh4-wcc4-5jm3 and the v1.6.11 release notes). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory applications using better-auth with organization plugin and emailAndPassword configuration; determine whether requireEmailVerification is explicitly set to true. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44742
GHSA-fmh4-wcc4-5jm3