Intel

AIKIDO-2026-624335

@better-auth/stripe is vulnerable to Authorization Bypass

Authorization BypassGHSA-h3rm-78g3-j7cp Published Jun 30, 2026

71

High Risk

This Affects:

JS@better-auth/stripe
1.4.11 - 1.6.20
Fixed in 1.6.21
Are you affected? Scan for Free

TL;DR

The @better-auth/stripe plugin authorizes organization subscription actions against the organization id in the request query string but then runs the action against the caller's active organization from their session. When subscriptions and organization subscriptions are enabled with an authorizeReference callback, a member can place an organization they may manage in the query string to pass the check while the handler acts on a different organization they belong to. This lets cancel, change-plan, restore, and billing-portal actions run against the wrong organization and exposes another organization's billing details such as payment methods and invoices. The fix resolves the organization id once in the middleware and passes that single value to the handler so the approved and acted-on organization always match.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you enable Stripe organization subscriptions with an authorizeReference callback.

Background info

@better-auth/stripe is vulnerable to Authorization Bypass in versions 1.4.11 - 1.6.20.

How to fix this

Upgrade the @better-auth/stripe library to the patch version.