PT-2026-35070 · Unknown · Better Auth
Published
2026-04-16
·
Updated
2026-04-25
·
CVE-2026-41427
CVSS v4.0
8.4
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N |
Name of the Vulnerable Software and Affected Versions
Better Auth versions prior to 1.6.5
Description
The OAuth client creation endpoints failed to invoke the hook associated with the
clientPrivileges option before persisting new clients. Consequently, deployments intended to restrict client registration through clientPrivileges were ineffective, allowing any authenticated user to access the create endpoints and register an OAuth client with arbitrary redirect URIs and metadata.Recommendations
Update to version 1.6.5.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Better Auth