Intel

AIKIDO-2026-348850

@better-auth/scim is vulnerable to Authorization Bypass

Authorization BypassGHSA-rjg6-39jm-rgg4 Published Jun 30, 2026

99

Critical Risk

This Affects:

JS@better-auth/scim
1.4.0 - 1.6.21
Fixed in 1.6.22
Are you affected? Scan for Free

TL;DR

The @better-auth/scim plugin uses the same logical provider ID for SCIM provider configuration and account ownership, and token issuance does not reject provider IDs already used by other account providers. A low-privileged authenticated user can mint a SCIM token whose provider ID collides with an existing SSO, SAML, OIDC, OAuth, or social provider, and the SCIM routes then resolve and act on accounts the token never provisioned, including a non-organization delete that removes the global user. The same write path drops the active attribute so deactivation requests succeed while the user stays active, and lets PUT and PATCH reassign a user's email without the uniqueness check or email-verification reset the create path enforces. The fix rejects colliding provider IDs, scopes deletes to the SCIM account link, models active to an enforced disabled state with session revocation, and enforces email uniqueness and verification reset on updates.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you enable the SCIM plugin and allow authenticated users to generate SCIM tokens.

Background info

@better-auth/scim is vulnerable to Authorization Bypass in versions 1.4.0 - 1.6.21.

How to fix this

Upgrade the @better-auth/scim library to the patch version.