CVE-2026-41427
OAuth 2.1 Provider: Unprivileged users can register OAuth clients
描述
### Am I affected? You're affected if all of the following are true: - Using @better-auth/oauth-provider at version specified below - You configured clientPrivileges in the plugin options expecting it to gate who can create OAuth clients - The /oauth2/create-client or /admin/oauth2/create-client endpoints are reachable by authenticated users you don't fully trust If clientPrivileges is not configured, this bug has no security consequence for your deployment --- ### Summary The clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invoke the hook before persisting new clients. Deployments that configured clientPrivileges to restrict client registration were not actually restricted — any authenticated user could reach the create endpoints and register an OAuth client with attacker-chosen redirect URIs and metadata. Non-create operations (read, list, update, delete, rotate) enforced the hook correctly. Only the create path was missing the check. ### Impact - Unauthorized registration of OAuth clients by any authenticated user, under deployments that expected clientPrivileges to block them. - Attacker-controlled redirect_uris on those clients enable phishing flows that present as registered first-party applications. - If the SERVER_ONLY admin creation endpoint is also exposed to low-privilege users (a separate deployment misconfiguration), additional sensitive fields including `skip_consent` become writable. ### Patches Fixed in `@better-auth/[email protected]` Both create endpoints now call the clientPrivileges hook with action "create" before persisting the client record. ### Workarounds If you cannot upgrade immediately: - Block the /oauth2/create-client and /admin/oauth2/create-client routes at your reverse proxy or middleware layer for any user who should not be able to register clients. - Do not expose the admin creation endpoint (it is SERVER_ONLY by design and should not be reachable by end-user sessions).
如何修補 CVE-2026-41427
要修補 CVE-2026-41427,請將受影響套件升級到下列已修補版本。
- —升級至 1.6.5 或更新版本
CVE-2026-41427 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。