PT-2026-56299 · Npm · Better Auth
Publicado
2026-07-07
·
Atualizado
2026-07-07
·
CVE-2026-53514
CVSS v3.1
7.7
Alta
| Vetor | AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N |
Am I affected?
Users are affected if all of the following are true:
- Their application uses
better-authwith theorganizationplugin (import { organization } from "better-auth/plugins/organization"). - Their application enables a sign-up surface that allows arbitrary unverified email registration. Most commonly
emailAndPassword: { enabled: true }withoutrequireEmailVerification: true. - Their application has not set
requireEmailVerificationOnInvitation: trueon theorganization()options. - Their application invitation distribution flow allows anyone other than the invited mailbox owner to obtain the
invitationId. Examples: admin UI surfacing the link, copy-paste into chat, forwarded email, mail-forwarding rules at the recipient's domain, link previews logging the URL, or a customsendInvitationEmailintegration that sends to a non-owner channel.
If their application set
emailAndPassword: { enabled: true, requireEmailVerification: true } so unverified rows cannot reach a usable session, they are not affected. Setting requireEmailVerificationOnInvitation: true closes acceptInvitation and rejectInvitation, but getInvitation and listUserInvitations remain ungated even with that flag.Fix:
- Upgrade to
better-auth@1.6.11or later. - If developers cannot upgrade their application, see workarounds below.
Summary
The organization plugin's
acceptInvitation endpoint trusts an email-string equality check as proof that the session user owns the invited address. With Better Auth's stock emailAndPassword: { enabled: true } configuration, requireEmailVerification defaults to false, so an attacker can sign up a row keyed to victim@target.example (auto-signed-in, emailVerified: false) before the legitimate owner. When an organization admin invites that address, the attacker presents the invitationId and accepts the invitation, joining the organization at the invited role.Details
The recipient gate compares
invitation.email.toLowerCase() to session.user.email.toLowerCase() and returns 403 on mismatch. The opt-in requireEmailVerificationOnInvitation flag adds an emailVerified check, but it defaults to false and only fires on acceptInvitation and rejectInvitation; getInvitation and listUserInvitations have no emailVerified gate at all.The bearer token (
invitationId) is by default 32 chars over [a-zA-Z0-9] (~190 bits), so the realistic attack vector is leakage of the invitation link rather than brute force.The fix shape defaults the
emailVerified gate to on and extends it across all four invitation endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations). This is the same trust-primitive class as GHSA-g38m-r43w-p2q7 (OAuth auto-link); both ship the rule "email equality is not ownership proof; both sides must prove ownership".Patches
Fixed in
better-auth@1.6.11. All four invitation recipient endpoints (acceptInvitation, rejectInvitation, getInvitation, listUserInvitations) now require the session user's emailVerified to be true in addition to the email-string match. The requireEmailVerificationOnInvitation option default flips from false to true, so applications are secure out of the box.getInvitation and listUserInvitations use the new EMAIL VERIFICATION REQUIRED FOR INVITATION error code so the wording matches the operation; acceptInvitation and rejectInvitation keep the existing EMAIL VERIFICATION REQUIRED BEFORE ACCEPTING OR REJECTING INVITATION code. Server-side calls to listUserInvitations that pass ctx.query.email without an authenticated session continue to bypass the gate; the gate is specific to session-authenticated recipient calls.Integrators who intentionally accept invitations on unverified sessions can preserve the legacy permissive behavior with
organization({ requireEmailVerificationOnInvitation: false }). The option is marked @deprecated; the gate at each call site carries a FIXME pointing at the next-minor follow-up that drops the option and makes the check unconditional. Operators that take this opt-out should understand the takeover risk before doing so.Workarounds
If developers cannot upgrade their applications immediately:
- Set
organization({ requireEmailVerificationOnInvitation: true }). ClosesacceptInvitationandrejectInvitationagainst unverified sessions. Does not closegetInvitationorlistUserInvitations. - Set
emailAndPassword.requireEmailVerification: true(or remove email/password sign-up entirely). Closes the pre-registration step itself. - Layer middleware on the organization invitation routes that asserts
session.user.emailVerified === trueand rejects otherwise.
Impact
- Account takeover via pre-account hijacking on the org invitation surface: the attacker, holding only an unverified self-issued session and the leaked
invitationId, joins the organization as a member at the invited role. - Organization membership reach: the attacker reads invitation contents and any organization-scoped data the joined role can see, and acts as a member of the victim organization.
Credit
Reported by @widavies.
Resources
Correção
Improper Authentication
Insufficient Verification of Data Authenticity
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Better Auth