CVE-2026-41427
Better Auth OAuth 2.1 Provider: Unprivileged users can register OAuth clients
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted โ any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5.
| CWE | CWE-863 |
| Vendor | better-auth |
| Product | better-auth |
| Published | Apr 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for better-auth better-auth
Be the first to know when new unknown vulnerabilities affecting better-auth better-auth are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
better-auth / better-auth
>= 1.4.8-beta.7, < 1.6.5 >= 1.7.0-beta.0, <= 1.7.0-beta.1
better-auth / oauth-provider
>= 1.4.8-beta.7, < 1.6.5 >= 1.7.0-beta.0, <= 1.7.0-beta.1