Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-41427

OAuth 2.1 Provider: Unprivileged users can register OAuth clients
Back to all
CVE

CVE-2026-41427

OAuth 2.1 Provider: Unprivileged users can register OAuth clients

Am I affected?

  You're affected if all of the following are true:

  • Using @better-auth/oauth-provider at version specified below 
  • You configured clientPrivileges in the plugin options expecting it to gate who can create OAuth clients
  • The /oauth2/create-client or /admin/oauth2/create-client endpoints are reachable by authenticated users you don't fully trust

  If clientPrivileges is not configured, this bug has no security consequence for your deployment

  ---

  ### Summary

  The clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted — any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata.

 Non-create operations (read, list, update, delete, rotate) enforced the hook correctly. Only the create path was missing the check.

Impact

  • Unauthorized registration of OAuth clients by any authenticated user, under deployments that expected clientPrivileges to block them.
  • Attacker-controlled redirect_uris on those clients enable phishing flows that present as registered first-party applications.
  • If the SERVER_ONLY admin creation endpoint is also exposed to low-privilege users (a separate deployment misconfiguration), additional sensitive fields including skip_consent become writable.

Patches

Fixed in @better-auth/oauth-provider@1.6.5 Both create endpoints now call the clientPrivileges hook with action "create" before persisting the client record.

Workarounds

  If you cannot upgrade immediately:

  • Block the /oauth2/create-client and /admin/oauth2/create-client routes at your reverse proxy or middleware layer for any user who should not be able to register clients.
  • Do not expose the admin creation endpoint (it is SERVER_ONLY by design and should not be reachable by end-user sessions).

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.1
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/better-auth/better-auth/security/advisories/GHSA-xr8f-h2gw-9xh6, https://nvd.nist.gov/vuln/detail/CVE-2026-41427, https://github.com/better-auth/better-auth

Severity

6.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
6.5
EPSS Probability
0.00048%
EPSS Percentile
0.15325%
Introduced Version
1.4.8-beta.7,1.7.0-beta.0
Fix Available
1.6.5

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading