Skip to main content

better-auth EUVDEUVD-2026-44742

| CVE-2026-53514 HIGH
Improper Authentication (CWE-287)
2026-07-07 https://github.com/better-auth/better-auth GHSA-fmh4-wcc4-5jm3
7.7
CVSS 3.1 · Vendor: https://github.com/better-auth/better-auth
Share

Severity by source

Vendor (https://github.com/better-auth/better-auth) PRIMARY
7.7 HIGH
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
7.7 HIGH

Attacker needs own low-priv session (PR:L), an admin must issue the invitation (UI:R), success hinges on non-default config plus a token leak (AC:H), and crossing into another org's authority is a scope change (S:C) with high C/I and no availability impact.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (https://github.com/better-auth/better-auth).

CVSS VectorVendor: https://github.com/better-auth/better-auth

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 21:39 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 26 npm packages depend on better-auth (19 direct, 7 indirect)

Ecosystem-wide dependent count for version 1.6.11.

DescriptionCVE.org

Am I affected?

Users are affected if all of the following are true:

  • Their application uses better-auth with the organization plugin (import { organization } from "better-auth/plugins/organization").
  • Their application enables a sign-up surface that allows arbitrary unverified email registration. Most commonly emailAndPassword: { enabled: true } without requireEmailVerification: true.
  • Their application has not set requireEmailVerificationOnInvitation: true on the organization() options.
  • Their application invitation distribution flow allows anyone other than the invited mailbox owner to obtain the invitationId. Examples: admin UI surfacing the link, copy-paste into chat, forwarded email, mail-forwarding rules at the recipient's domain, link previews logging the URL, or a custom sendInvitationEmail integration that sends to a non-owner channel.

If their application set emailAndPassword: { enabled: true, requireEmailVerification: true } so unverified rows cannot reach a usable session, they are not affected. Setting requireEmailVerificationOnInvitation: true closes acceptInvitation and rejectInvitation, but getInvitation and listUserInvitations remain ungated even with that flag.

Fix:

  1. Upgrade to better-auth@1.6.11 or later.
  2. If developers cannot upgrade their application, see workarounds below.

Summary

The organization plugin's acceptInvitation endpoint trusts an email-string equality check as proof that the session user owns the invited address. With Better Auth's stock emailAndPassword: { enabled: true } configuration, requireEmailVerification defaults to false, so an attacker can sign up a row keyed to victim@target.example (auto-signed-in, emailVerified: false) before the legitimate owner. When an organization admin invites that address, the attacker presents the invitationId and accepts the invitation, joining the organization at the invited role.

Details

The recipient gate compares invitation.email.toLowerCase() to session.user.email.toLowerCase() and returns 403 on mismatch. The opt-in requireEmailVerificationOnInvitation flag adds an emailVerified check, but it defaults to false and only fires on acceptInvitation and rejectInvitation; getInvitation and listUserInvitations have no emailVerified gate at all.

The bearer token (invitationId) is by default 32 chars over [a-zA-Z0-9] (~190 bits), so the realistic attack vector is leakage of the invitation link rather than brute force.

The fix shape defaults the emailVerified gate to on and extends it across all four invitation endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations). This is the same trust-primitive class as GHSA-g38m-r43w-p2q7 (OAuth auto-link); both ship the rule "email equality is not ownership proof; both sides must prove ownership".

Patches

Fixed in better-auth@1.6.11. All four invitation recipient endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations) now require the session user's emailVerified to be true in addition to the email-string match. The requireEmailVerificationOnInvitation option default flips from false to true, so applications are secure out of the box.

getInvitation and listUserInvitations use the new EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION error code so the wording matches the operation; acceptInvitation and rejectInvitation keep the existing EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION code. Server-side calls to listUserInvitations that pass ctx.query.email without an authenticated session continue to bypass the gate; the gate is specific to session-authenticated recipient calls.

Integrators who intentionally accept invitations on unverified sessions can preserve the legacy permissive behavior with organization({ requireEmailVerificationOnInvitation: false }). The option is marked @deprecated; the gate at each call site carries a FIXME pointing at the next-minor follow-up that drops the option and makes the check unconditional. Operators that take this opt-out should understand the takeover risk before doing so.

Workarounds

If developers cannot upgrade their applications immediately:

  • Set organization({ requireEmailVerificationOnInvitation: true }). Closes acceptInvitation and rejectInvitation against unverified sessions. Does not close getInvitation or listUserInvitations.
  • Set emailAndPassword.requireEmailVerification: true (or remove email/password sign-up entirely). Closes the pre-registration step itself.
  • Layer middleware on the organization invitation routes that asserts session.user.emailVerified === true and rejects otherwise.

Impact

  • Account takeover via pre-account hijacking on the org invitation surface: the attacker, holding only an unverified self-issued session and the leaked invitationId, joins the organization as a member at the invited role.
  • Organization membership reach: the attacker reads invitation contents and any organization-scoped data the joined role can see, and acts as a member of the victim organization.

Credit

Reported by @widavies.

Resources

AnalysisAI

Privilege escalation and account/organization takeover in the better-auth Node/TypeScript library affects applications using the organization plugin with unverified email sign-up enabled (emailAndPassword without requireEmailVerification). Because acceptInvitation treats a plain email-string match as proof of address ownership, an attacker who pre-registers an unverified account keyed to a victim's address and obtains a leaked invitationId can accept an admin's invitation and join the organization at the invited role. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Pre-register account keyed to victim email
Delivery
Obtain auto-signed-in unverified session
Exploit
Capture leaked invitationId link
Install
Submit invitationId to acceptInvitation
C2
Email-string match passes ownership check
Execute
Join organization at invited role
Impact
Read org-scoped data as member

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following to hold: (1) the app uses better-auth's organization plugin; (2) sign-up permits arbitrary unverified email registration - most commonly emailAndPassword: { enabled: true } without requireEmailVerification: true, allowing an attacker to create an auto-signed-in emailVerified:false account keyed to the victim's address; (3) the app has NOT set requireEmailVerificationOnInvitation: true on organization() options; and (4) the invitation distribution flow lets someone other than the invited mailbox owner obtain the invitationId (admin UI surfacing the link, copy-paste into chat, forwarded email, recipient-domain mail-forwarding rules, link-preview logging, or a custom sendInvitationEmail sending to a non-owner channel). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate rather than emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a better-auth account for victim@target.example using stock email/password sign-up, receiving an auto-signed-in session with emailVerified: false before the real owner ever signs up. An organization admin later invites victim@target.example, and the invitationId link leaks through a shared admin UI, a forwarded email, a chat copy-paste, or a link-preview log. …
Remediation Vendor-released patch: better-auth 1.6.11 - upgrade to better-auth@1.6.11 or later, which flips the requireEmailVerificationOnInvitation default from false to true and extends the emailVerified gate across all four invitation recipient endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations), making apps secure by default (see https://github.com/better-auth/better-auth/security/advisories/GHSA-fmh4-wcc4-5jm3 and the v1.6.11 release notes). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory applications using better-auth with organization plugin and emailAndPassword configuration; determine whether requireEmailVerification is explicitly set to true. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy