CVE-2026-41427

CVSS v4.0

7.1

High

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions Better Auth versions prior to 1.6.5

Description The OAuth client creation endpoints failed to invoke the hook associated with the clientPrivileges option before persisting new clients. Consequently, deployments intended to restrict client registration through clientPrivileges were ineffective, allowing any authenticated user to access the create endpoints and register an OAuth client with arbitrary redirect URIs and metadata.

Recommendations Update to version 1.6.5.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-41427

Affected Products

Better Auth

CVE-2026-41427

Weakness Enumeration

Related Identifiers

Affected Products

References · 4