PT-2026-56298 · Npm · @Better-Auth/Sso

Published

2026-07-07

·

Updated

2026-07-08

·

CVE-2026-53513

CVSS v3.1

9.6

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions @better-auth/sso versions 0.1.0 through 1.6.10 @better-auth/sso versions 1.7.0-beta.x
Description An SSRF flaw exists in the provider registration flow where OpenID Connect (OIDC) endpoint URLs are accepted without proper validation. When skipDiscovery is set to true, the POST /sso/register and POST /sso/update-provider endpoints allow the persistence of attacker-controlled URLs in the oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint variables. The server subsequently issues outbound HTTP requests to these URLs during the OIDC callback, reflecting the response body through the user profile. This allows an authenticated user to perform non-blind SSRF to probe internal networks, access cloud metadata services, or reach internal APIs.
If the trustEmailVerified variable is set to true, an attacker can escalate this to account takeover by providing a malicious userInfo response with emailVerified: true and a chosen email, triggering an OAuth auto-link to a pre-existing user account.
Recommendations Upgrade @better-auth/sso to version 1.6.11 or later. As a temporary workaround, disable provider self-registration by setting sso({ providersLimit: 0 }). As a temporary workaround, block POST /sso/register and POST /sso/update-provider at the reverse-proxy level or restrict access to a small list of admin users. As a temporary workaround, implement network-level egress controls to block requests to RFC 1918, RFC 4193, and link-local ranges, including the cloud-metadata FQDN list. As a temporary workaround, set trustEmailVerified to false to prevent account takeover escalation.

Fix

Insufficient Verification of Data Authenticity

RCE

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53513
GHSA-5RR4-8452-HF4V

Affected Products

@Better-Auth/Sso