CVE-2026-41427 Overview
CVE-2026-41427 is an Authorization Bypass vulnerability in Better Auth, an authentication and authorization library for TypeScript. Prior to version 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. This flaw allowed any authenticated user to bypass configured client registration restrictions and register OAuth clients with attacker-chosen redirect URIs and metadata.
Critical Impact
Deployments relying on clientPrivileges to restrict OAuth client registration were completely unprotected, enabling authenticated attackers to create malicious OAuth clients with arbitrary redirect URIs for credential theft or phishing attacks.
Affected Products
- Better Auth versions prior to 1.6.5
- Applications using Better Auth's OAuth client registration functionality
- Deployments configured with clientPrivileges restrictions
Discovery Timeline
- 2026-04-24 - CVE-2026-41427 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-41427
Vulnerability Analysis
This vulnerability stems from CWE-863 (Incorrect Authorization), where the Better Auth library failed to properly enforce authorization checks during OAuth client registration. The clientPrivileges configuration option was designed to allow administrators to restrict which users could create OAuth clients, but the underlying implementation did not actually call the authorization hook before saving new client records to the database.
The impact of this vulnerability is significant for multi-tenant deployments or environments where OAuth client registration should be limited to administrators only. An attacker with basic authenticated access could leverage this flaw to register rogue OAuth clients, potentially setting up redirect URIs pointing to attacker-controlled servers to harvest authorization codes or access tokens from legitimate users.
Root Cause
The root cause is a missing authorization check in the OAuth client creation endpoint. While the clientPrivileges option was documented and accepted by the configuration parser, the create action hook was never invoked in the request handling pipeline before persisting new OAuth client records. This represents a disconnect between the documented security model and the actual implementation, leaving deployments with a false sense of security.
Attack Vector
The attack is network-based and requires low-privileged authenticated access. An attacker would:
- Authenticate to the target application using any valid user account
- Send a direct request to the OAuth client creation endpoint
- Include attacker-controlled values for redirect_uri and other client metadata
- The server persists the OAuth client without verifying authorization
- The attacker can then use the malicious client to initiate OAuth flows and redirect victims to capture tokens
The vulnerability mechanism involves the OAuth client registration endpoint bypassing the clientPrivileges authorization hook. When an authenticated user submits a request to create a new OAuth client, the server should invoke the configured clientPrivileges hook to verify the user has permission to perform the create action. However, the vulnerable implementation persists the client record directly to the database without this verification step. See the GitHub Security Advisory for additional technical details.
Detection Methods for CVE-2026-41427
Indicators of Compromise
- Unexpected OAuth client registrations in the database from non-administrative users
- OAuth clients with redirect URIs pointing to external or suspicious domains
- Authentication logs showing token grants to unrecognized client IDs
- Unusual patterns of client creation requests from standard user accounts
Detection Strategies
- Monitor OAuth client creation events and alert on registrations by non-privileged users
- Audit existing OAuth clients for redirect URIs pointing to external domains
- Review application logs for access patterns to client registration endpoints
- Implement application-level logging to track all OAuth client CRUD operations
Monitoring Recommendations
- Enable detailed logging for all OAuth-related endpoints in Better Auth
- Set up alerts for new OAuth client registrations outside of administrative workflows
- Periodically audit the OAuth client database table for unauthorized entries
- Monitor for authentication flows involving unknown or recently created client IDs
How to Mitigate CVE-2026-41427
Immediate Actions Required
- Upgrade Better Auth to version 1.6.5 or later immediately
- Audit existing OAuth clients and remove any unauthorized registrations
- Review authentication logs for evidence of exploitation
- Notify users if suspicious OAuth clients may have captured their tokens
Patch Information
The vulnerability is fixed in Better Auth version 1.6.5. The patch ensures that the clientPrivileges authorization hook is properly invoked before persisting new OAuth client records, enforcing the documented access control model. Organizations should update their dependencies to this version or later. For additional details, see the GitHub Security Advisory.
Workarounds
- Implement network-level access controls to restrict OAuth client registration endpoints to trusted IP ranges
- Add application middleware to validate user permissions before forwarding requests to client creation endpoints
- Temporarily disable OAuth client registration functionality until the patch can be applied
- Deploy a reverse proxy rule to block unauthenticated or non-admin access to the registration endpoint
# Example: Update Better Auth to patched version
npm update better-auth@1.6.5
# Verify installed version
npm list better-auth
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
