CVE-2026-53516
Received Received - Intake

Improper OAuth Account Linking in Better Auth Library

Vulnerability report for CVE-2026-53516, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, Better Auth's OAuth callback auto-link gate in handleOAuthUserInfo accepts implicit account linking when the OAuth provider asserts email_verified: true without requiring the local user row's emailVerified field to also be true, allowing an attacker who pre-registers a victim email through /sign-up/email to bind the victim's OAuth identity to the attacker's account. The same primitive affects one-tap, and emailAndPassword.requireEmailVerification: true does not mitigate the link-time verification change. This issue is fixed in version 1.6.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
better_auth better_auth to 1.6.11 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53516 is a high-severity vulnerability in the Better Auth library affecting versions prior to 1.6.11. It allows an attacker to pre-register a victim's email via the email sign-up endpoint, creating a user row with emailVerified set to false. When the victim later authenticates via OAuth, the system implicitly links the OAuth identity to the attacker's pre-registered account without verifying the local emailVerified status. This grants the attacker both a password login and the victim's OAuth identity on the same account.

Impact Analysis

This vulnerability enables account takeover. An attacker can gain persistent access to a victim's account by pre-registering the victim's email and then linking the victim's legitimate OAuth login to the attacker's account. This means the attacker can log in using either the pre-registered password or the victim's OAuth identity.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive user data, violating compliance requirements such as GDPR's data protection principles or HIPAA's access controls. It undermines authentication mechanisms and may result in data breaches, triggering regulatory penalties and loss of trust.

Detection Guidance

To detect this vulnerability, check if your Better Auth version is below 1.6.11. Run: npm list better-auth or grep "better-auth" package.json. If the version is older, the system is vulnerable. Also review OAuth callback logs for implicit account linking events where email_verified is true but local emailVerified is false.

Mitigation Strategies

Upgrade Better Auth to version 1.6.11 or later immediately. If upgrading is not possible, disable implicit account linking by setting account.accountLinking.requireLocalEmailVerified to false temporarily. Audit existing accounts for suspicious OAuth bindings and revoke unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart