Back to overview

CVE-2026-53514

HIGH
7.7
CVSS 3.1
Description
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, and in 1.6.14 and later when invitation IDs can be obtained outside the invited mailbox and requireEmailVerificationOnInvitation: true is not enabled, the organization plugin's acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations recipient endpoints use session.user.email and an invitation ID without sufficient verified-email ownership proof, allowing a user with an unverified session for the invited email address to accept an organization invitation after obtaining the invitation ID. This issue is fixed for the original default behavior in version 1.6.11, while 1.6.14 restored compatibility for built-in opaque invitation IDs and leaves affected configurations requiring secure options.

Metadata

CVE ID
CVE-2026-53514
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-09 17:30 UTC
Published
2026-07-15 17:30 UTC
Last updated
2026-07-15 17:30 UTC
Primary CWE
CWE-287
CWE-287: Improper Authentication
Vendor / Product
better-auth / better-auth
Sources
cve.org  ·  NVD

Severity & Metrics

7.7 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
better-auth better-auth < 1.6.11
Weakness (CWE)
CWESourceDescription
CWE-287 cna CWE-287: Improper Authentication
CWE-345 cna CWE-345: Insufficient Verification of Data Authenticity
CWE-441 cna CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
CWE-862 cna CWE-862: Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.7 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
References (4)
Back to overview