CVE-2026-41427
MEDIUM WAF: Low
CVSS 6.5
Published: 2026-04-24
CWE-863
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted — any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. This vulnerability is fixed in 1.6.5.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| better-auth | better-auth\/oauth-provider | 1.4.9 - 1.6.5 |
| better-auth | better-auth\/oauth-provider | 1.4.8 |
| better-auth | better-auth\/oauth-provider | 1.4.8 |
| better-auth | better-auth\/oauth-provider | 1.7.0 |
References
- github.com (Mitigation, Vendor Advisory)