CVE-2026-53513

better-auth · better-auth

The better-auth SSO plugin fails to validate OIDC configuration URLs, allowing authenticated users to perform server-side request forgery and potentially achieve account linking.

Executive summary

An input validation flaw in the better-auth SSO plugin allows authenticated attackers to perform server-side request forgery and manipulate account linking configurations.

Vulnerability

The @better-auth/sso plugin fails to perform origin validation on OIDC configuration endpoints when skipDiscovery is enabled. This allows an authenticated user to provide malicious URLs for token and JWKS endpoints, leading to server-side request forgery (SSRF) and potential account takeover via unauthorized account linking.

Business impact

An attacker can leverage this vulnerability to perform SSRF attacks, potentially accessing internal network resources, or bypass identity verification to link malicious accounts. Given the CVSS score of 9.6, the potential for account takeover and internal network probing presents a severe risk to organizational identity and access management security.

Remediation

Immediate Action: Update the better-auth library and the @better-auth/sso plugin to version 1.6.11 or later.

Proactive Monitoring: Inspect application logs for unusual OIDC callback traffic or unexpected external network requests originating from the authentication server.

Compensating Controls: Ensure strict firewall policies are in place to restrict the application server from initiating outbound connections to unauthorized internal or external endpoints.

Exploitation status

Public Exploit Available: No confirmed public exploit (weaponized or GitHub PoC) is available.

Analyst recommendation

Organizations using the better-auth SSO plugin must prioritize updating to version 1.6.11. This update introduces necessary validation checks that prevent the SSRF and account linking risks associated with improper OIDC configuration handling.