@better-auth/scim is vulnerable to Authorization Bypass
99
Critical Risk
The @better-auth/scim plugin uses the same logical provider ID for SCIM provider configuration and account ownership, and token issuance does not reject provider IDs already used by other account providers. A low-privileged authenticated user can mint a SCIM token whose provider ID collides with an existing SSO, SAML, OIDC, OAuth, or social provider, and the SCIM routes then resolve and act on accounts the token never provisioned, including a non-organization delete that removes the global user. The same write path drops the active attribute so deactivation requests succeed while the user stays active, and lets PUT and PATCH reassign a user's email without the uniqueness check or email-verification reset the create path enforces. The fix rejects colliding provider IDs, scopes deletes to the SCIM account link, models active to an enforced disabled state with session revocation, and enforces email uniqueness and verification reset on updates.
You are affected if you are using a version that falls within the vulnerable range and you enable the SCIM plugin and allow authenticated users to generate SCIM tokens.
@better-auth/scim is vulnerable to Authorization Bypass in versions 1.4.0 - 1.6.21.
Upgrade the @better-auth/scim library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant