CVE-2026-53516 in Better Auth
Summary
by MITRE • 07/15/2026
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, Better Auth's OAuth callback auto-link gate in handleOAuthUserInfo accepts implicit account linking when the OAuth provider asserts email_verified: true without requiring the local user row's emailVerified field to also be true, allowing an attacker who pre-registers a victim email through /sign-up/email to bind the victim's OAuth identity to the attacker's account. The same primitive affects one-tap, and emailAndPassword.requireEmailVerification: true does not mitigate the link-time verification change. This issue is fixed in version 1.6.11.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/15/2026
This vulnerability exists within Better Auth library versions prior to 1.6.11 and represents a critical account takeover risk through improper authentication flow handling. The flaw occurs in the OAuth callback auto-link gate functionality where the system accepts implicit account linking when an OAuth provider explicitly states email_verified: true without enforcing that the corresponding local user account also has its emailVerified field set to true. This creates a dangerous condition where attackers can exploit the system's trust in OAuth providers' verification claims while bypassing local account verification requirements.
The vulnerability stems from a fundamental flaw in the authentication flow logic where the system fails to maintain consistent verification states between external OAuth providers and internal user accounts. When an attacker pre-registers a victim's email address through the /sign-up/email endpoint, they can then use that email to authenticate via OAuth and bind the victim's OAuth identity to their own account. This represents a classic case of insufficient verification state checking that violates security principle of least privilege and proper access control enforcement.
The operational impact of this vulnerability is severe as it enables attackers to hijack accounts through social engineering or pre-registration attacks without requiring knowledge of passwords or other authentication factors. The issue affects both one-tap functionality and standard email/password authentication flows, making it particularly dangerous because it can be exploited across multiple authentication pathways within the same system. Even when developers configure emailAndPassword.requireEmailVerification: true, the vulnerability persists because the fix does not address the core linking logic that bypasses local verification requirements.
This vulnerability aligns with CWE-287 (Improper Authentication) and CWE-305 (Authentication Bypass Through User Enumeration) while also demonstrating characteristics of ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) where attackers can leverage legitimate authentication flows to gain unauthorized access to victim accounts. The flaw essentially allows attackers to perform account takeover by exploiting the trust relationship between OAuth providers and local authentication systems, creating a bypass for email verification requirements that should normally prevent such account linking scenarios.
The mitigation strategy requires updating to Better Auth version 1.6.11 which addresses the core issue by enforcing consistent verification state checking during account linking operations. Organizations using older versions must implement immediate workarounds such as disabling auto-linking functionality, implementing additional verification checks, or manually reviewing account associations to prevent unauthorized linking of accounts. Security teams should also monitor for suspicious account creation patterns and implement proper logging of authentication events to detect potential exploitation attempts. The fix ensures that local email verification states are properly enforced before allowing OAuth account linking operations, thereby preventing attackers from exploiting the trust relationship between external providers and internal user accounts.