Authorization Issues in Better Auth Library Affecting TypeScript Implementations
CVE-2026-53514
7.7HIGH
What is CVE-2026-53514?
The Better Auth library for TypeScript has a vulnerability that allows an attacker with an unverified session to exploit organization invitation endpoints. Specifically, when the invitation ID can be acquired without adequate email verification, the endpoints for accepting, rejecting, listing, and retrieving invitations do not enforce sufficient ownership checks. This could enable unauthorized users to gain access to organization invitations. The issue was addressed in version 1.6.11, which restores the default secure behavior, while version 1.6.14 introduces support for opaque invitation IDs but retains configurations that may require additional security measures.
Affected Version(s)
better-auth < 1.6.11
