CVE-2026-53513
better-auth · better-auth
The better-auth SSO plugin fails to validate OIDC configuration URLs, allowing authenticated users to perform server-side request forgery and potentially achieve account linking.
Executive summary
An input validation flaw in the better-auth SSO plugin allows authenticated attackers to perform server-side request forgery and manipulate account linking configurations.
Vulnerability
The @better-auth/sso plugin fails to perform origin validation on OIDC configuration endpoints when skipDiscovery is enabled. This allows an authenticated user to provide malicious URLs for token and JWKS endpoints, leading to server-side request forgery (SSRF) and potential account takeover via unauthorized account linking.
Business impact
An attacker can leverage this vulnerability to perform SSRF attacks, potentially accessing internal network resources, or bypass identity verification to link malicious accounts. Given the CVSS score of 9.6, the potential for account takeover and internal network probing presents a severe risk to organizational identity and access management security.
Remediation
Immediate Action: Update the better-auth library and the @better-auth/sso plugin to version 1.6.11 or later.
Proactive Monitoring: Inspect application logs for unusual OIDC callback traffic or unexpected external network requests originating from the authentication server.
Compensating Controls: Ensure strict firewall policies are in place to restrict the application server from initiating outbound connections to unauthorized internal or external endpoints.
Exploitation status
Public Exploit Available: No confirmed public exploit (weaponized or GitHub PoC) is available.
Analyst recommendation
Organizations using the better-auth SSO plugin must prioritize updating to version 1.6.11. This update introduces necessary validation checks that prevent the SSRF and account linking risks associated with improper OIDC configuration handling.