CVE-2026-53514
Received Received - Intake

Better Auth Organization Invitation Session Validation Bypass

Vulnerability report for CVE-2026-53514, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin's acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations recipient endpoints use session.user.email and an invitation ID without sufficient verified-email ownership proof, allowing a user with an unverified session for the invited email address to accept an organization invitation after obtaining the invitation ID. This issue is fixed for the original default behavior in version 1.6.11, while 1.6.14 restored compatibility for built-in opaque invitation IDs and leaves affected configurations requiring secure options.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
better_auth better_auth to 1.6.11|start_including=1.6.14 (exc)
better_auth better_auth to 1.6.11 (exc)
better_auth better_auth From 1.6.14 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Better Auth library's organization plugin. It allows users with unverified email sessions to accept, reject, view, or enumerate invitations intended for a victim's email address by obtaining the invitation ID. The system previously only checked if the session user's email matched the invitation email without requiring email verification.

Impact Analysis

An attacker could pre-register with a victim's email address without verifying it, then use the invitation ID to accept invitations meant for the victim. This grants the attacker unintended organization membership and associated permissions, potentially leading to unauthorized access to sensitive data or systems.

Compliance Impact

This vulnerability could lead to unauthorized access to personal or sensitive data, violating principles of data protection and access control required by GDPR and HIPAA. It undermines user consent and data integrity, potentially resulting in non-compliance with these regulations.

Detection Guidance

To detect this vulnerability, check if your Better Auth organization plugin's invitation endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations) allow unverified email sessions to interact with invitations. Review logs for unauthorized access attempts or actions performed by users with unverified emails. Ensure session.user.emailVerified is enforced before processing invitation requests.

Mitigation Strategies
  • Upgrade to Better Auth version 1.6.11 or later to enforce email verification by default for invitation endpoints.
  • Set requireEmailVerificationOnInvitation: true in your configuration to ensure only verified emails can accept or view invitations.
  • Prevent exposure of invitation IDs outside the invited mailbox to reduce attack surface.
  • Require email verification before allowing user sign-in to prevent pre-registration attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53514. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart