CVE-2026-53514 in Better Authinfo

Summary

by MITRE • 07/15/2026

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin's acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations recipient endpoints use session.user.email and an invitation ID without sufficient verified-email ownership proof, allowing a user with an unverified session for the invited email address to accept an organization invitation after obtaining the invitation ID. This issue is fixed for the original default behavior in version 1.6.11, while 1.6.14 restored compatibility for built-in opaque invitation IDs and leaves affected configurations requiring secure options.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability exists within the Better Auth authentication and authorization library for TypeScript, specifically affecting versions prior to 1.6.11 and versions 1.6.14 and later when certain configuration parameters are not properly set. The flaw manifests in the organization plugin's invitation handling endpoints including acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations. These endpoints rely on session.user.email and an invitation ID without implementing sufficient verification that the requesting user actually owns the email address associated with the invitation. The vulnerability stems from a lack of proper email ownership validation during the invitation acceptance process, creating a potential security risk where unauthorized users can exploit the system by simply obtaining a valid invitation ID.

The technical implementation of this flaw allows for privilege escalation through session hijacking or manipulation attacks. When a user obtains an invitation ID through legitimate means such as API calls or by intercepting communication between systems, they can leverage their unverified session to impersonate the invited user and accept invitations intended for others. This occurs because the system does not validate that the email address associated with the session matches the email address targeted by the invitation. The vulnerability specifically affects configurations where requireEmailVerificationOnInvitation: true is not enabled, meaning the system does not enforce mandatory email verification before allowing invitation acceptance. According to CWE-287, this represents an authentication flaw where insufficient verification of user identity allows unauthorized access to resources.

The operational impact of this vulnerability extends beyond simple privilege escalation to potentially compromise entire organizational structures within systems using Better Auth. An attacker who can obtain an invitation ID and establish a session with the corresponding email address can gain unauthorized access to organizations, projects, or other resources that would normally be restricted to legitimate invitees. This creates a pathway for data breaches, unauthorized system modifications, and potential lateral movement within network environments where such invitations control access permissions. The vulnerability affects not just individual user accounts but organizational access controls, making it particularly dangerous in enterprise environments where proper access governance is critical.

The fix implemented in version 1.6.11 addresses the core issue by restoring proper email ownership verification during invitation acceptance processes. This change ensures that when an invitation is accepted, the system validates that the session user actually owns the email address associated with the invitation before proceeding. For version 1.6.14, the library maintains backward compatibility for built-in opaque invitation IDs but acknowledges that certain configurations remain vulnerable and require additional security measures to be properly protected. Organizations should implement the recommended mitigations including enabling requireEmailVerificationOnInvitation: true in their configuration settings, ensuring proper session management, and monitoring invitation acceptance activities for suspicious patterns. The vulnerability aligns with ATT&CK technique T1078 which covers valid accounts as a means of gaining initial access, demonstrating how weak authentication controls can be exploited to bypass normal access restrictions.

Security teams should prioritize upgrading to version 1.6.11 or later while ensuring that their configuration parameters properly enforce email verification requirements for invitations. The implementation of proper email ownership proof mechanisms before invitation acceptance prevents the exploitation scenario described in this vulnerability. Organizations using affected versions should conduct thorough security assessments of their invitation-based access control systems and implement additional monitoring controls to detect unauthorized invitation acceptance attempts. The fix addresses fundamental authentication weaknesses that could otherwise allow attackers to bypass normal access controls through manipulation of session data and invitation ID acquisition, reinforcing the importance of proper email verification mechanisms in modern authentication systems as recommended by industry best practices.

Responsible

GitHub M

Reservation

06/09/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!