CVE-2026-53515
Received Received - Intake

SSO Provider Hijacking in Better Auth Library

Vulnerability report for CVE-2026-53515, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin's POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row and does not require an owner or admin role, allowing attacker-controlled OIDC or SAML providers to drive /sso/callback/{providerId} organization provisioning. This issue is fixed in version 1.6.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
better_auth sso From 1.2.10 (inc) to 1.6.11 (exc)
better_auth sso 1.6.11

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Better Auth SSO plugin versions 1.2.10 to 1.6.10. It allows any organization member, regardless of their role, to register a new SSO provider for that organization via the POST /sso/register endpoint. The endpoint only checked for membership but did not require admin or owner privileges, unlike other SSO management endpoints.

Impact Analysis

An attacker could exploit this to attach a malicious SSO provider to your organization. This could lead to unauthorized user provisioning, including admin-grade users, if the attacker configures the provider to allow it. It undermines access controls and could grant unauthorized access to your systems.

Compliance Impact

This vulnerability could lead to unauthorized access and data breaches, violating compliance requirements for GDPR (data protection), HIPAA (health information security), and other regulations that mandate strict access controls and auditability. Unauthorized admin access risks non-compliance with security and privacy controls.

Detection Guidance

To detect this vulnerability, check if your Better Auth SSO plugin version is between 1.2.10 and 1.6.10. Run: npm list @better-auth/sso. If the version falls in this range, the system is vulnerable.

Mitigation Strategies

Upgrade to @better-auth/sso version 1.6.11 or later. If upgrading is not possible, disable user-driven SSO registration or SSO-driven organization provisioning as a workaround.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart