CVE-2026-41427

Published: Apr 24, 2026

Modified: Apr 27, 2026

PUBLISHED

Description

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted — any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5.

Vendor	Product	Versions
better-auth	better-auth	affected `>= 1.4.8-beta.7, < 1.6.5` affected `>= 1.7.0-beta.0, <= 1.7.0-beta.1`
better-auth	oauth-provider	affected `>= 1.4.8-beta.7, < 1.6.5` affected `>= 1.7.0-beta.0, <= 1.7.0-beta.1`

Weaknesses (CWE)

CWE-863

References

https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-41427

Description

Affected Products

Weaknesses (CWE)

References