External risk intelligence

Better Auth SSO Plugin Server-Side Request Forgery and Account Linking Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-53513

The vulnerability exists in an authentication and authorization library used to build web applications. These applications typically expose registration and SSO endpoints to the public internet to facilitate user access, making the affected functionality a common part of an internet-facing web service.

Server-Side Request Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in the @better-auth/sso plugin, an authentication and authorization library. This flaw could allow an attacker to redirect requests to malicious endpoints, potentially leading to unauthorized account access or linking if certain configurations are in place. The main concern is to confirm if this specific library is in use and if the vulnerable configuration exists within your environment.

  • Authentication library flaw can redirect user requests.
  • Matters if you use this library for user logins.
  • Confirm usage and configuration for any risk.

Attack Path

How an attacker could exploit the issue

An attacker with low-privileged access could exploit this vulnerability by manipulating specific configuration URLs within the SSO registration or update process. When discovery is skipped, these URLs are stored without validation and later fetched, potentially allowing the attacker to redirect requests to internal or external services and gain unauthorized account linking.

  • Requires authenticated access.
  • Triggers by submitting crafted SSO configuration.
  • Risk of server-side request forgery.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to manipulate authentication settings, potentially leading to unauthorized account linking or server-side request forgery when certain configurations are enabled. This could expose sensitive system information or allow unauthorized access to services.

  • System authentication data could be at risk.
  • Improperly validated URLs could be exploited.
  • Unauthorized account linking may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the @better-auth/sso plugin within the Better Auth library. Application owners or platform teams responsible for the identity and access management components should investigate. The first step is to identify all instances of the affected library, assess their exposure and business criticality, and then plan remediation efforts, potentially involving coordination with the library vendor.

  • Identify application owners and impacted systems.
  • Verify SSO endpoint configurations and reachability.
  • Plan vendor coordination and remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Better Auth and how is it used?

Better Auth is a specialized library for TypeScript applications that handles core security functions like user authentication and authorization. Developers integrate it into their web services to manage user identities, login processes, and Single Sign-On (SSO) capabilities. It simplifies the complex task of building secure sign-in flows by providing pre-built modules for managing sessions, passwords, and external identity provider connections within the application framework.

What does CWE-918 mean for CVE-2026-53513?

CWE-918 refers to Server-Side Request Forgery (SSRF). In the context of this CVE, it means the application can be tricked into making unintended network requests. Because the library fails to validate specific configuration URLs, an attacker can force the server to contact arbitrary destinations. This is particularly dangerous here because the server may treat the responses from those forged requests as trusted data, potentially impacting the integrity of the authentication process.

When can an attacker trigger this vulnerability?

An attacker can trigger this issue when the library is configured with skipDiscovery set to true, which bypasses automatic endpoint verification. By submitting crafted URLs for identity endpoints during SSO registration or provider updates, the attacker forces the system to store and eventually fetch data from these malicious locations. It is important to note that if skipDiscovery is false, the application automatically discovers endpoints, which prevents this specific path of exploitation.

Do I need to worry if my SSO endpoints are private?

Yes, you should evaluate your risk regardless of endpoint visibility. Halo Surface Signal notes that since this library is used to build web applications, the affected registration and SSO endpoints are frequently exposed to the public internet to enable user access. Even if your internal infrastructure is segmented, a successful SSRF attack allows the server to act as a proxy, potentially reaching internal services that are not meant to be accessed from the outside.

How should I respond to this vulnerability?

Your first step is to audit your project dependencies to confirm if you are using the @better-auth/sso plugin and check if you are running a version prior to 1.6.11. If you find the library is in use, verify whether your SSO configuration utilizes the skipDiscovery: true setting. If this configuration is active, prioritize updating the library to version 1.6.11 or later, as this release includes the necessary validation logic to prevent unauthorized URL processing.

References