Intel

AIKIDO-2026-95917

@better-auth/sso is vulnerable to Improper Authentication

Improper AuthenticationGHSA-prpr-5gj3-qqhg Published Jun 30, 2026

81

High Risk

This Affects:

JS@better-auth/sso
0.0.1 - 1.6.20
Fixed in 1.6.21
Are you affected? Scan for Free

TL;DR

The @better-auth/sso plugin contains several flaws that each let an SSO sign-in be trusted for an identity it should not represent, when users can self-register providers and implicit account linking is enabled. Domain verification proves one hostname but trusts a comma- or URL-embedded second hostname at sign-in, deleting a provider leaves its linked accounts behind so a freed provider id can be re-registered to assert a victim's identifier, SAML assertions are accepted without validating the audience, recipient, or destination that bind them to this service provider, and the SAML single-logout endpoint builds an auto-submitting form whose action scheme is unchecked so a javascript: location runs script in the auth origin. Together these let an attacker obtain a session as another user, including organization owners or admins, and in the logout case execute reflected script. The fix requires DNS proof for every listed hostname, removes linked accounts on provider deletion, validates the SAML assertion audience, and restricts the logout form action to http and https URLs.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you let users register SSO providers themselves with implicit account linking enabled.

Background info

@better-auth/sso is vulnerable to Improper Authentication in versions 0.0.1 - 1.6.20.

How to fix this

Upgrade the @better-auth/sso library to the patch version.