Authorization Issues in Better Auth Library Affecting TypeScript Implementations
CVE-2026-53514

7.7HIGH

Key Information:

Vendor
CVE Published:
15 July 2026

What is CVE-2026-53514?

The Better Auth library for TypeScript has a vulnerability that allows an attacker with an unverified session to exploit organization invitation endpoints. Specifically, when the invitation ID can be acquired without adequate email verification, the endpoints for accepting, rejecting, listing, and retrieving invitations do not enforce sufficient ownership checks. This could enable unauthorized users to gain access to organization invitations. The issue was addressed in version 1.6.11, which restores the default secure behavior, while version 1.6.14 introduces support for opaque invitation IDs but retains configurations that may require additional security measures.

Affected Version(s)

better-auth < 1.6.11

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.