Authentication and Authorization Library Vulnerability in Better Auth
CVE-2026-53516
8.3HIGH
What is CVE-2026-53516?
The Better Auth library, used for authentication in TypeScript applications, contains a vulnerability that allows for implicit account linking via the OAuth callback mechanism. This occurs when the OAuth provider asserts an email as verified without ensuring that the local user's email verification status aligns. As a result, attackers can pre-register an email and bind it to their account, exploiting the linking process. Other verification parameters like one-tap and email verification settings do not mitigate the risk associated with this issue. This vulnerability was addressed in version 1.6.11 of Better Auth.
Affected Version(s)
better-auth < 1.6.11
