CVE-2026-53513 PUBLISHED

Better Auth: Server-side request forgery via unvalidated OIDC endpoints on @better-auth/sso provider registration

Assigner: GitHub_M
Reserved: 09.06.2026 Published: 15.07.2026 Updated: 15.07.2026

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin's POST /sso/register and POST /sso/update-provider endpoints accept attacker-controlled oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint URLs when skipDiscovery: true is set, store them on the ssoProvider row without origin validation, and fetch them during OIDC callback, allowing non-blind server-side request forgery and possible account linking when trustEmailVerified: true is configured. This issue is fixed in version 1.6.11.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 9.6

Product Status

Vendor better-auth
Product better-auth
Versions
  • Version >= 0.1.0, < 1.6.11 is affected
Vendor @better-auth
Product sso
Versions
  • Version >= 0.1.0, < 1.6.11 is affected

References

Problem Types

  • CWE-20: Improper Input Validation CWE
  • CWE-345: Insufficient Verification of Data Authenticity CWE
  • CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') CWE
  • CWE-918: Server-Side Request Forgery (SSRF) CWE