Advisory Database
  • Advisories
  • Dependency Scanning
  1. npm
  2. ›
  3. @better-auth/sso
  4. ›
  5. CVE-2026-53513

CVE-2026-53513: @better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints

July 7, 2026

The @better-auth/sso plugin’s POST /sso/register endpoint accepts attacker-controlled oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint URLs when skipDiscovery: true is set, persists them on the ssoProvider row without origin validation, then issues server-side fetches to those URLs during the OIDC callback. The fetched response body is reflected through the user profile, producing a non-blind SSRF reachable by any authenticated session. The same primitive exists on POST /sso/update-provider.

References

  • github.com/advisories/GHSA-5rr4-8452-hf4v
  • github.com/better-auth/better-auth/releases/tag/v1.6.11
  • github.com/better-auth/better-auth/security/advisories/GHSA-5rr4-8452-hf4v
  • nvd.nist.gov/vuln/detail/CVE-2026-53513

Code Behaviors & Features

Detect and mitigate CVE-2026-53513 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 0.1.0 before 1.6.11

Fixed versions

  • 1.6.11

Solution

Upgrade to version 1.6.11 or above.

Impact 9.6 CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Learn more about CVSS

Weakness

  • CWE-20: Improper Input Validation
  • CWE-345: Insufficient Verification of Data Authenticity
  • CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
  • CWE-918: Server-Side Request Forgery (SSRF)

Source file

npm/@better-auth/sso/CVE-2026-53513.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 08 Jul 2026 00:17:25 +0000.