Authentication Flaw in Better Auth Library for TypeScript
CVE-2026-41427

7.1HIGH

Key Information:

Vendor: Better-auth
Status: Better-auth; Oauth-provider
Vendor: CVE Published:; 24 April 2026

🔔 Create Better-auth Vulnerability Alert

What is CVE-2026-41427?

The Better Auth library for TypeScript, prior to version 1.6.5, experienced a significant vulnerability related to its clientPrivileges configuration. The library's OAuth client creation endpoints failed to invoke necessary security hooks before creating and storing new client instances. As a result, this flaw allowed any authenticated user to bypass restrictions on client registration, potentially leading to unauthorized creation of OAuth clients with malicious redirect URIs and metadata. This vulnerability has been addressed in version 1.6.5.

Affected Version(s)

better-auth >= 1.4.8-beta.7, < 1.6.5 < 1.4.8-beta.7, 1.6.5

better-auth >= 1.7.0-beta.0, <= 1.7.0-beta.1 <= 1.7.0-beta.0, 1.7.0-beta.1

oauth-provider >= 1.4.8-beta.7, < 1.6.5 < 1.4.8-beta.7, 1.6.5

References

https://github.com/better-auth/better-auth/security/advis...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41427 Data

JSON