{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41427", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T15:32:33.814Z", "datePublished": "2026-04-24T19:23:20.161Z", "dateUpdated": "2026-04-27T13:42:23.885Z"}, "containers": {"cna": {"title": "Better Auth OAuth 2.1 Provider: Unprivileged users can register OAuth clients", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6"}], "affected": [{"vendor": "better-auth", "product": "better-auth", "versions": [{"version": ">= 1.4.8-beta.7, < 1.6.5", "status": "affected"}, {"version": ">= 1.7.0-beta.0, <= 1.7.0-beta.1", "status": "affected"}]}, {"vendor": "better-auth", "product": "oauth-provider", "versions": [{"version": ">= 1.4.8-beta.7, < 1.6.5", "status": "affected"}, {"version": ">= 1.7.0-beta.0, <= 1.7.0-beta.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:23:20.161Z"}, "descriptions": [{"lang": "en", "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted \u2014 any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5."}], "source": {"advisory": "GHSA-xr8f-h2gw-9xh6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:42:15.023332Z", "id": "CVE-2026-41427", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:42:23.885Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41427", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:42:15.023332Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:42:19.429Z"}}], "cna": {"title": "Better Auth OAuth 2.1 Provider: Unprivileged users can register OAuth clients", "source": {"advisory": "GHSA-xr8f-h2gw-9xh6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "better-auth", "product": "better-auth", "versions": [{"status": "affected", "version": ">= 1.4.8-beta.7, < 1.6.5"}, {"status": "affected", "version": ">= 1.7.0-beta.0, <= 1.7.0-beta.1"}]}, {"vendor": "better-auth", "product": "oauth-provider", "versions": [{"status": "affected", "version": ">= 1.4.8-beta.7, < 1.6.5"}, {"status": "affected", "version": ">= 1.7.0-beta.0, <= 1.7.0-beta.1"}]}], "references": [{"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6", "name": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted \u2014 any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:23:20.161Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41427", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:42:23.885Z", "dateReserved": "2026-04-20T15:32:33.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T19:23:20.161Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:better-auth:better-auth\\/oauth-provider:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CE35ECEB-5E33-41B9-B2D1-E45759AF936E", "versionEndExcluding": "1.6.5", "versionStartIncluding": "1.4.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:better-auth:better-auth\\/oauth-provider:1.4.8:-:*:*:*:node.js:*:*", "matchCriteriaId": "6DA5C22B-C161-46D4-945E-3041EFA2376C", "vulnerable": true}, {"criteria": "cpe:2.3:a:better-auth:better-auth\\/oauth-provider:1.4.8:beta7:*:*:*:node.js:*:*", "matchCriteriaId": "823F67C9-1A4F-4491-B4F1-CE9BB49BA6EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:better-auth:better-auth\\/oauth-provider:1.7.0:beta0:*:*:*:node.js:*:*", "matchCriteriaId": "69DC1E8F-2C5D-4D63-A054-B26028655FD2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted \u2014 any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5."}], "id": "CVE-2026-41427", "lastModified": "2026-05-13T19:36:38.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T20:16:27.390", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.4.8-beta.7,1.6.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.7.0-beta.0,1.7.0-beta.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "better-auth", "source": "cna", "vendor": "better-auth"}, "product": "better_auth", "vendor": "better-auth"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.4.8-beta.7,1.6.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.7.0-beta.0,1.7.0-beta.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "oauth-provider", "source": "cna", "vendor": "better-auth"}, "product": "oauth-provider", "vendor": "better-auth"}], "analysis": {"en": {"generated_at": "2026-04-28T13:34:54.140496+00:00", "value": {"mitigation_remediation": ["Upgrade the Better Auth library to version 1.6.5 or newer.", "Confirm that the clientPrivileges configuration is enabled so that OAuth client registrations are subject to the intended permission checks.", "Audit all existing OAuth client registrations for unexpected redirect URIs and remove or reconfigure any that appear malicious before deploying the update."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted OAuth client registration by authenticated users"}, "threat_synthesis": {"affected_systems": "The affected product is Better Auth, an authentication and authorization library for TypeScript, including its oauth-provider module. All releases prior to 1.6.5 are affected; version 1.6.5 and later contain the fix.", "description_and_impact": "The vulnerability arises because the clientPrivileges hook\u2014intended to restrict OAuth client creation based on configured permissions\u2014is never invoked before persisting new clients. This issue represents a CWE-863 vulnerability, reflecting an authorization bypass through user-controlled input. Consequently, any authenticated user can call the create endpoints and register a client with attacker\u2011chosen redirect URLs and metadata. This allows the attacker to craft a malicious OAuth client that can harvest authorization codes, redirect users to phishing sites, or otherwise compromise the integrity of the OAuth flow.", "risk_and_exploitability": "The CVSS base score is 7.1, indicating medium to high severity, while the EPSS score is less than 1\u202f%, pointing to a low likelihood of exploitation at present. The issue is not listed in the CISA KEV catalog. The flaw can be exploited only by authenticated users who can access the OAuth client registration endpoints, which means that an internal actor or an attacker who has compromised credentials could register malicious clients. Such a client can redirect auth codes to attacker\u2011controlled endpoints, effectively hijacking user sessions or credential grants. The recommendation is to apply the library update, enforce the clientPrivileges setting, and audit existing client registrations for anomalous redirect URIs."}}}}, "created": "2026-04-28T09:17:53.182836+00:00", "updated": "2026-04-28T13:45:06.131493+00:00", "vendors": ["better-auth", "better-auth$PRODUCT$better_auth", "better-auth$PRODUCT$oauth-provider"]}