CVE-2026-53513 in Better Authinfo

Summary

by MITRE • 07/15/2026

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin's POST /sso/register and POST /sso/update-provider endpoints accept attacker-controlled oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint URLs when skipDiscovery: true is set, store them on the ssoProvider row without origin validation, and fetch them during OIDC callback, allowing non-blind server-side request forgery and possible account linking when trustEmailVerified: true is configured. This issue is fixed in version 1.6.11.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in Better Auth's @better-auth/sso plugin represents a critical server-side request forgery weakness that enables attackers to manipulate OIDC configuration endpoints through insecure input handling. This flaw specifically affects versions prior to 1.6.11 where the ssoProvider row stores attacker-controlled URLs without proper origin validation, creating a pathway for malicious actors to redirect authentication flows to arbitrary endpoints. The vulnerability manifests in two primary endpoints: POST /sso/register and POST /sso/update-provider, which accept unvalidated OIDC configuration parameters including userInfoEndpoint, tokenEndpoint, and jwksEndpoint when skipDiscovery is enabled. This design flaw directly aligns with CWE-918, which addresses server-side request forgery vulnerabilities where applications fetch resources based on user-controllable input without proper validation.

The operational impact of this vulnerability extends beyond simple request redirection to potentially enable account takeover through trust-based email verification mechanisms. When the trustEmailVerified: true configuration is present, attackers can leverage the SSRF capability to manipulate authentication flows and link unauthorized accounts to legitimate email addresses. This creates a significant risk for systems that rely on email verification as a security control, since the malicious actor could potentially register or update SSO providers with endpoints that return forged user information, thereby bypassing normal authentication boundaries. The vulnerability operates at the intersection of multiple attack vectors including OIDC protocol manipulation and credential compromise, making it particularly dangerous in environments where single sign-on is heavily utilized.

The technical exploitation requires an attacker to first gain access to a valid session or API endpoint within the Better Auth system, then craft malicious requests that specify arbitrary endpoints for OIDC configuration parameters. Once stored without validation, these endpoints are fetched during subsequent OIDC callbacks, allowing attackers to control the entire authentication flow. This vulnerability demonstrates poor input sanitization practices and inadequate security controls around external endpoint configuration, particularly in SSO implementations where trust relationships are established. The fix implemented in version 1.6.11 addresses this by introducing proper origin validation for OIDC endpoints, ensuring that configured URLs originate from trusted sources before being stored or used in authentication flows. This remediation aligns with ATT&CK technique T1566.002 which covers server-side request forgery, and follows established security principles of input validation and trust boundary enforcement to prevent unauthorized access to external resources through application interfaces.

Responsible

GitHub M

Reservation

06/09/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!